Handle target="_blank" links in authorization WebView, Fixes AB#3535641 (#3010)

**Problem**
Total loss recovery is a feature provided by VID to recover the user's
account. This gets initiated from inside of the webview. See below
screenshot for reference. Once the user clicks on "Recover your
account", the flow goes through a set of redirects - sometimes to 3P
identity verifiers where they may handle button clicks differently. They
may contain links with target="_blank" (ideally used in websites where
they want to open a new tab upon a button or link click)(e.g., Terms of
Use, privacy links), the Android WebView silently drops these
navigations. Users tap the link and nothing happens — no browser opens,
no feedback is given.

**Solution**
Override onCreateWindow to intercept target="_blank" navigations and
open them in the device's default external browser via intent.
Note : This will ONLY be enabled for TLR links. The check is made in
OnPageLoadedCallback method of WebViewAuthorizationFragment.
- **How are we gating it only for TLR URLs?** : When a page is loaded,
we know its url, we check if it matches the TLR url pattern.. If it
does, we enable multiple windows support in webview by calling the
method setSupportMultipleWindows(true). Else, it is the same as today
(set to false).
- **Would onCreateWindow method be called even when
setSupportMultipleWindows is false?** : No, it completely needs
setSupportMultipleWindows to be true. So, the code in onCreateWindow
need not be behind a flight as the code triggering it is already behind
the flight.

**Feature gating**
The change is gated behind ENABLE_WEBVIEW_MULTIPLE_WINDOWS
CommonFlight: default false (safe for MSAL/non-broker callers)
BrokerFlight: overrides to true (enabled in broker context)

**Telemetry**
The change also involves adding a new span with default sampling rate.
But we expect this span to be emitted in very low numbers (10 to 20 per
day) once Total loss recovery feature is enabled. Once this feature is
stabilized, we can remove this span.

Fixes
[AB#3535641](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3535641)

Author: somalaya

changelog.txt

@@ -4,6 +4,7 @@ vNext
 - [MINOR] Remove LruCache from SharedPreferencesFileManager (#2910)
 - [MINOR] Edge TB: Claims (#2925)
 - [PATCH] Update Moshi to 1.15.2 to resolve okio CVE-2023-3635 vulnerability (#3005)
+- [MINOR] Handle target="_blank" links in authorization WebView (#3010)
 
 Version 24.0.1
 ----------

common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java

@@ -1481,6 +1481,36 @@ public static String computeMaxHostBrokerProtocol() {
          */
         public static final String REDIRECT_SSL_PREFIX = "https://";
 
+        /**
+         * Path segment for the TLR (Total loss recovery) start page.
+         */
+        public static final String TLR_START_PATH = "/tlr/start";
+
+        /**
+         * WebView routing value when the target URL from a target=_blank navigation is null.
+         */
+        public static final String WEBVIEW_TARGET_BLANK_ROUTE_NULL_URL = "null_url";
+
+        /**
+         * WebView routing value when the target URL is not SSL-protected.
+         */
+        public static final String WEBVIEW_TARGET_BLANK_ROUTE_NON_SSL = "non_ssl";
+
+        /**
+         * WebView routing value when the target URL is loaded inline (non-TLR page).
+         */
+        public static final String WEBVIEW_TARGET_BLANK_ROUTE_NON_TLR = "non_tlr_flow";
+
+        /**
+         * WebView routing value when the target URL is delegated to the system browser (TLR page).
+         */
+        public static final String WEBVIEW_TARGET_BLANK_ROUTE_TLR = "tlr_flow";
+
+        /**
+         * WebView routing value when the popup was not initiated by a user gesture.
+         */
+        public static final String WEBVIEW_TARGET_BLANK_ROUTE_NO_USER_GESTURE = "no_user_gesture";
+
         /**
          * Prefix in the redirect for PlayStore.
          */

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java

@@ -40,14 +40,17 @@
 import android.net.Uri;
 import android.os.Build;
 import android.os.Bundle;
+import android.os.Message;
 import android.view.LayoutInflater;
 import android.view.MotionEvent;
 import android.view.View;
 import android.view.ViewGroup;
 import android.webkit.PermissionRequest;
 import android.webkit.WebChromeClient;
+import android.webkit.WebResourceRequest;
 import android.webkit.WebSettings;
 import android.webkit.WebView;
+import android.webkit.WebViewClient;
 import android.widget.ProgressBar;
 
 import androidx.activity.result.ActivityResultLauncher;
@@ -79,6 +82,7 @@
 import com.microsoft.identity.common.java.util.StringUtil;
 import com.microsoft.identity.common.logging.Logger;
 
+import com.microsoft.identity.common.java.opentelemetry.AttributeName;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.Arrays;
@@ -87,8 +91,14 @@
 
 import static com.microsoft.identity.common.java.AuthenticationConstants.OAuth2.UTID;
 
+import com.microsoft.identity.common.java.opentelemetry.OTelUtility;
+import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
+import com.microsoft.identity.common.java.opentelemetry.SpanName;
 
+import io.opentelemetry.api.trace.Span;
 import io.opentelemetry.api.trace.SpanContext;
+import io.opentelemetry.api.trace.StatusCode;
+import io.opentelemetry.context.Scope;
 
 /**
  * Authorization fragment with embedded webview.
@@ -147,6 +157,7 @@ public void onCreate(@Nullable Bundle savedInstanceState) {
         if (activity != null) {
             WebViewUtil.setDataDirectorySuffix(activity.getApplicationContext());
         }
+
         if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_LEGACY_FIDO_SECURITY_KEY_LOGIC)
                 && Build.VERSION.SDK_INT < Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
             mFidoLauncher = registerForActivityResult(
@@ -264,6 +275,14 @@ public void onPageLoaded(final String url) {
                         if (!mAuthResultSent && !StringExtensions.isNullOrBlank(javascriptToExecute[0])) {
                             mWebView.evaluateJavascript(javascriptToExecute[0], null);
                         }
+
+                        // Dynamically toggle multiple-windows support so that target="_blank"
+                        // interception is active ONLY on the TLR start page. On all other
+                        // pages the WebView behaves exactly as before.
+                        if (CommonFlightsManager.INSTANCE.getFlightsProvider()
+                                .isFlightEnabled(CommonFlight.ENABLE_WEBVIEW_MULTIPLE_WINDOWS)) {
+                            mWebView.getSettings().setSupportMultipleWindows(isTlrUrl(url));
+                        }
                     }
                 },
                 mRedirectUri,
@@ -352,6 +371,7 @@ public boolean onTouch(final View view, final MotionEvent event) {
         mWebView.getSettings().setUseWideViewPort(true);
         mWebView.getSettings().setBuiltInZoomControls(webViewZoomControlsEnabled);
         mWebView.getSettings().setSupportZoom(webViewZoomEnabled);
+
         mWebView.setVisibility(View.INVISIBLE);
         mWebView.setWebViewClient(webViewClient);
         mWebView.setWebChromeClient(new WebChromeClient() {
@@ -376,10 +396,125 @@ public Bitmap getDefaultVideoPoster() {
                 // We will return a 10x10 empty image, instead of the default grey playback image. #2424
                 return Bitmap.createBitmap(10, 10, Bitmap.Config.ARGB_8888);
             }
+
+            @Override
+            public boolean onCreateWindow(final WebView view, boolean isDialog,
+                                          boolean isUserGesture, final Message resultMsg) {
+                if (resultMsg.obj == null) {
+                    Logger.error(methodTag, "onCreateWindow: resultMsg.obj is null, cannot set up transport.", null);
+                    return false;
+                }
+
+                final SpanContext parentSpanContext = requireActivity() instanceof AuthorizationActivity
+                        ? ((AuthorizationActivity) requireActivity()).getSpanContext() : null;
+                final Span span = OTelUtility.createSpanFromParent(
+                        SpanName.WebViewTargetBlankNavigation.name(), parentSpanContext);
+                boolean windowHandled = false;
+                try (final Scope scope = SpanExtension.makeCurrentSpan(span)) {
+                    Logger.info(methodTag, "onCreateWindow: intercepting target=_blank navigation.");
+                    final WebView interceptorWebView = new WebView(view.getContext());
+                    interceptorWebView.setWebViewClient(new WebViewClient() {
+                        @Override
+                        public boolean shouldOverrideUrlLoading(WebView v, WebResourceRequest request) {
+                            handleInterceptedUrlFromNewWindow(view, v, request, span, isUserGesture);
+                            return true;
+                        }
+                    });
+                    final WebView.WebViewTransport transport = (WebView.WebViewTransport) resultMsg.obj;
+                    transport.setWebView(interceptorWebView);
+                    resultMsg.sendToTarget();
+                    // Span status and end are handled in handleInterceptedUrlFromNewWindow,
+                    // which fires asynchronously when shouldOverrideUrlLoading is called.
+                    windowHandled = true;
+                } catch (@NonNull final Exception e) {
+                    Logger.error(methodTag, "Error handling target=_blank navigation.", e);
+                    span.recordException(e);
+                    span.setStatus(StatusCode.ERROR);
+                    span.end();
+                }
+                return windowHandled;
+            }
         });
         setupPasskeyWebListener(mWebView, webViewClient);
     }
 
+    /**
+     * Handles the URL intercepted from a target=_blank navigation (onCreateWindow).
+     * Routes the URL based on whether the main WebView is currently on a TLR page:
+     * - TLR page: opens the URL in an external browser.
+     * - Non-TLR page: loads the URL inline in the main WebView.
+     *
+     * @param mainWebView        The main authentication WebView.
+     * @param interceptorWebView The temporary interceptor WebView (will be destroyed after handling).
+     * @param request            The intercepted URL request.
+     * @param span               The telemetry span to record which routing path is taken.
+     * @param isUserGesture      Whether the popup was initiated by a user gesture (e.g. a click).
+     */
+    @VisibleForTesting
+    void handleInterceptedUrlFromNewWindow(@NonNull final WebView mainWebView,
+                                                   @NonNull final WebView interceptorWebView,
+                                                   @NonNull final WebResourceRequest request,
+                                                   @NonNull final Span span,
+                                                   final boolean isUserGesture) {
+        final String methodTag = TAG + ":handleInterceptedUrlFromNewWindow";
+        try {
+            final String targetUrl = request.getUrl().toString();
+            final String currentPageUrl = mainWebView.getUrl();
+
+            if (targetUrl == null) {
+                span.setAttribute(AttributeName.target_blank_navigation_route.name(), AuthenticationConstants.Broker.WEBVIEW_TARGET_BLANK_ROUTE_NULL_URL);
+                Logger.warn(methodTag, "onCreateWindow: target URL is null, ignoring.");
+            } else if (!isUserGesture) {
+                // Not initiated by user gesture: load inline as a safe fallback instead of
+                // opening an external browser, to prevent programmatic/scripted popups.
+                span.setAttribute(AttributeName.target_blank_navigation_route.name(), AuthenticationConstants.Broker.WEBVIEW_TARGET_BLANK_ROUTE_NO_USER_GESTURE);
+                Logger.warn(methodTag, "onCreateWindow: popup not initiated by user gesture, loading URL inline.");
+                mainWebView.loadUrl(targetUrl);
+            } else if (!targetUrl.toLowerCase().startsWith(AuthenticationConstants.Broker.REDIRECT_SSL_PREFIX)) {
+                // Non-SSL URL: refuse to open, matching AzureActiveDirectoryWebViewClient behavior.
+                span.setAttribute(AttributeName.target_blank_navigation_route.name(), AuthenticationConstants.Broker.WEBVIEW_TARGET_BLANK_ROUTE_NON_SSL);
+                Logger.error(methodTag, "onCreateWindow: URL is not SSL protected, refusing to open.", null);
+            } else if (!isTlrUrl(currentPageUrl)) {
+                // Non-TLR page: load inline, same as WebView default behavior.
+                span.setAttribute(AttributeName.target_blank_navigation_route.name(), AuthenticationConstants.Broker.WEBVIEW_TARGET_BLANK_ROUTE_NON_TLR);
+                Logger.warn(methodTag, "onCreateWindow: non-TLR page, loading URL inline as fallback.");
+                mainWebView.loadUrl(targetUrl);
+            } else {
+                // TLR page: delegate to system browser so user can view terms externally.
+                span.setAttribute(AttributeName.target_blank_navigation_route.name(), AuthenticationConstants.Broker.WEBVIEW_TARGET_BLANK_ROUTE_TLR);
+                Logger.info(methodTag, "onCreateWindow: TLR page, delegating URL to system browser.");
+                final Intent browserIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(targetUrl));
+                mainWebView.getContext().startActivity(browserIntent);
+            }
+            span.setStatus(StatusCode.OK);
+        } catch (final Exception e) {
+            span.recordException(e);
+            span.setStatus(StatusCode.ERROR);
+            Logger.error(methodTag, "Error handling target=_blank URL.", e);
+        } finally {
+            span.end();
+            // Destroy the interceptor WebView after it has served its purpose
+            interceptorWebView.post(interceptorWebView::destroy);
+        }
+    }
+
+    /**
+     * Checks whether the given URL corresponds to a TLR (Terms, License, and Restrictions)
+     * start page.
+     *
+     * @param url The URL to check.
+     * @return {@code true} if the URL is a TLR start page, {@code false} otherwise.
+     */
+    @VisibleForTesting
+    boolean isTlrUrl(@Nullable final String url) {
+        if (url == null) {
+            return false;
+        }
+        final String lowerUrl = url.toLowerCase();
+        return lowerUrl.startsWith(AuthenticationConstants.Broker.REDIRECT_SSL_PREFIX)
+                && lowerUrl.contains(AuthenticationConstants.Broker.TLR_START_PATH);
+    }
+
     /**
      * Loads starting authorization request url into WebView.
      */