Core: Disable nested bridge access by default.

e3ndr · WanneSimon · e3ndr · commit 652786bdec67 · 2024-03-09T18:58:01.000-06:00
There is now an additional method. Security reasons :)

Co-Authored-By: wanne seville &lt;29028687+WanneSimon@users.noreply.github.com&gt;
diff --git a/core/src/main/java/dev/webview/webview_java/Webview.java b/core/src/main/java/dev/webview/webview_java/Webview.java
@@ -46,8 +46,6 @@ public class Webview implements Closeable, Runnable {
     @Deprecated
     public long $pointer;
 
-//    private String initScript = "";
-
     /**
      * Creates a new Webview. <br/>
      * The default size will be set, and if the size is set again before loading the
@@ -186,27 +184,44 @@ public void setFixedSize(int width, int height) {
     }
 
     /**
-     * Sets the script to be run on page load.
+     * Sets the script to be run on page load. Defaults to no nested access (false).
      * 
      * @implNote        This get's called AFTER window.load.
      * 
      * @param    script
+     * 
+     * @see             #setInitScript(String, boolean)
      */
     public void setInitScript(@NonNull String script) {
+        this.setInitScript(script, false);
+    }
+
+    /**
+     * Sets the script to be run on page load.
+     * 
+     * @implNote                   This get's called AFTER window.load.
+     * 
+     * @param    script
+     * @param    allowNestedAccess whether or not to inject the script into nested
+     *                             iframes.
+     */
+    public void setInitScript(@NonNull String script, boolean allowNestedAccess) {
         script = String.format(
-            "(async () => {"
+            "(() => {"
                 + "try {"
+                + "if (window.top == window.self || %b) {"
                 + "%s"
+                + "}"
                 + "} catch (e) {"
                 + "console.error('[Webview]', 'An error occurred whilst evaluating init script:', %s, e);"
                 + "}"
                 + "})();",
+            allowNestedAccess,
             script,
             '"' + _WebviewUtil.jsonEscape(script) + '"'
         );
 
         N.webview_init($pointer, script);
-//        this.initScript = script;
     }
 
     /**
@@ -219,13 +234,11 @@ public void eval(@NonNull String script) {
             N.webview_eval(
                 $pointer,
                 String.format(
-                    "(async () => {"
-                        + "try {"
+                    "try {"
                         + "%s"
                         + "} catch (e) {"
                         + "console.error('[Webview]', 'An error occurred whilst evaluating script:', %s, e);"
-                        + "}"
-                        + "})();",
+                        + "}",
                     script,
                     '"' + _WebviewUtil.jsonEscape(script) + '"'
                 )
