WebView accesses the internet without Android network permissions (edit: false alarm?)

[Juan-de-Salgado]

Hi,
I was trying to use the WebView widget to show rich text, images, etc. (as a matter of fact, the user manual of the app). I create a local server and serve files from a subdirectory under resources/, to localhost:42001. So far so good.

But I noticed that, on Android, if my help pages happen to contain a link to Wikipedia, WebView would happily jump to that link, even if my app has no network permissions! How is this even possible?

I know you could reply, "doctor, doctor, it hurts when I move my arm - don't move your arm, then." I may create my local files and be sure that there are only links to other local files, and no external links. But I wouldn't want my users to be concerned, when recognizing (or if I tell them) that the on-app manual runs a web server. Seems like a security hole to me.

Proof-of-concept code attached: poc.zip

--
Edit: probably my bad. The AndroidManifest.xml DOES contain INTERNET and ACCESS_NETWORK_STATE permissions. I was thrown off, because in the Android emulator's Settings/Apps, the app shows with "No permissions requested", for some reason. Deleting these two permissions from the manifest makes the app crash when instantiating the HTTPServer (localserver.py:19).

If anyone knows of a way of serving local pages without permissions, I'd be interested. It is possible to fill in an HTML page to the WebView without any local server, by calling set_content instead of setting the "url" property, but then I don't see how links can be followed. Sorry for the false alarm!

[freakboy3742]

Glad to hear you worked this out; however, regarding the local pages - I suspect you'll find that the WebView isn't differentiating between localhost and any other address with respect to permissions. You're accessing localhost "over the network" because you're using network protocols to do so; the "hardware reality" of the situation doesn't really enter into consideration.

And, as you've noted, set_content will let you show a single page, but not navigate between pages. This is essentially because there's no way for a page to know that the URL is "on the same server". You might be able to pull something together by catching the navigation request and manually setting the page to the new static content - but that's very much "off label" usage of Toga's webview - there definitely isn't a public API for that.

[Juan-de-Salgado]

Thanks very much for your time and suggestions.