security(webview): restrict native JS channel callbacks to configured origin

Mirror the web iframe postMessage origin check on native InAppWebView
JavaScript handlers so cross-origin pages loaded after navigation cannot
invoke YAML actions wired to javascriptChannels.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>

Author: cursoragent

modules/ensemble/lib/widget/webview/webview_javascript_bridge_security.dart

@@ -0,0 +1,35 @@
+import 'package:meta/meta.dart';
+
+/// Returns true when [messageOrigin] matches [allowedOrigin].
+///
+/// Used by native [InAppWebView] JavaScript channel handlers to mirror the
+/// origin check already applied to web iframe `postMessage` handling.
+@visibleForTesting
+bool isAllowedWebViewJavaScriptMessageOrigin({
+  required String? messageOrigin,
+  required String? allowedOrigin,
+}) {
+  if (messageOrigin == null || allowedOrigin == null) {
+    return false;
+  }
+  if (messageOrigin.isEmpty || allowedOrigin.isEmpty) {
+    return false;
+  }
+  return messageOrigin == allowedOrigin;
+}
+
+/// Derives the allowed postMessage / JS-bridge origin from the configured
+/// WebView [url]. Returns null for missing or non-http(s) URLs.
+@visibleForTesting
+String? webViewAllowedOriginFromUrl(String? url) {
+  final uri = Uri.tryParse(url ?? '');
+  if (uri == null || !uri.hasScheme || !uri.hasAuthority) {
+    return null;
+  }
+  final scheme = uri.scheme.toLowerCase();
+  if (scheme != 'http' && scheme != 'https') {
+    return null;
+  }
+  final origin = uri.origin;
+  return origin.isEmpty ? null : origin;
+}

modules/ensemble/test/webview_javascript_bridge_security_test.dart

@@ -0,0 +1,56 @@
+import 'package:ensemble/widget/webview/webview_javascript_bridge_security.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+void main() {
+  group('webViewAllowedOriginFromUrl', () {
+    test('returns origin for https URLs', () {
+      expect(
+        webViewAllowedOriginFromUrl('https://app.example.com/path'),
+        'https://app.example.com',
+      );
+    });
+
+    test('returns null for missing or non-http(s) schemes', () {
+      expect(webViewAllowedOriginFromUrl(null), isNull);
+      expect(webViewAllowedOriginFromUrl(''), isNull);
+      expect(webViewAllowedOriginFromUrl('file:///etc/passwd'), isNull);
+      expect(webViewAllowedOriginFromUrl('not-a-url'), isNull);
+    });
+  });
+
+  group('isAllowedWebViewJavaScriptMessageOrigin', () {
+    test('allows matching origins', () {
+      expect(
+        isAllowedWebViewJavaScriptMessageOrigin(
+          messageOrigin: 'https://trusted.example',
+          allowedOrigin: 'https://trusted.example',
+        ),
+        isTrue,
+      );
+    });
+
+    test('rejects cross-origin and empty values', () {
+      expect(
+        isAllowedWebViewJavaScriptMessageOrigin(
+          messageOrigin: 'https://evil.example',
+          allowedOrigin: 'https://trusted.example',
+        ),
+        isFalse,
+      );
+      expect(
+        isAllowedWebViewJavaScriptMessageOrigin(
+          messageOrigin: 'https://evil.example',
+          allowedOrigin: null,
+        ),
+        isFalse,
+      );
+      expect(
+        isAllowedWebViewJavaScriptMessageOrigin(
+          messageOrigin: '',
+          allowedOrigin: 'https://trusted.example',
+        ),
+        isFalse,
+      );
+    });
+  });
+}