Skip to content

fix(DefaultWebClient): allow file:// and javascript: navigations to fall through (#762)#1084

Open
jim-daf wants to merge 1 commit intoJustson:androidxfrom
jim-daf:fix/security-issue-762
Open

fix(DefaultWebClient): allow file:// and javascript: navigations to fall through (#762)#1084
jim-daf wants to merge 1 commit intoJustson:androidxfrom
jim-daf:fix/security-issue-762

Conversation

@jim-daf
Copy link
Copy Markdown

@jim-daf jim-daf commented Apr 19, 2026
edited
Loading

Let file:// (and javascript:) navigations fall through to WebView

Resolves #762 - clicking a link inside a file:///android_asset/... page
does nothing.

Why nothing happens

DefaultWebClient.shouldOverrideUrlLoading is structured as:

if (http or https)               -> handle alipay or super
if (!webClientHelper)            -> super
if (handleCommonLink(url))       -> true     (tel, mailto, sms, geo, ...)
if (intent: / weixin: / alipays: / deeplink) -> true
if (mIsInterceptUnkownUrl)       -> true     <-- swallows everything else
return super(...)

mIsInterceptUnkownUrl is true by default, so any URL that doesn't
match http/https/tel/mailto/intent/weixin/alipays falls into the final
catch-all and returns true — telling WebView "I handled this, do
not load it". file:///android_asset/social/h5/other.html and
javascript: URLs both end up there, which is why the user's <a>
link to a sibling local page silently does nothing.

Fix

agentweb-core/src/main/java/com/just/agentweb/DefaultWebClient.java:

  • Adds two scheme constants near SCHEME_SMS: 
    public static final String FILE_SCHEME = "file://";
public static final String JAVASCRIPT_SCHEME = "javascript:";
  • Both overloads of shouldOverrideUrlLoading (the modern
    WebResourceRequest one and the legacy String one) return false
    as soon as they see one of those schemes, letting WebView perform
    the navigation itself.

This is the minimal change that restores in-page navigation for
locally-bundled HTML without weakening the existing intent/alipay/wechat
interception behavior.

@jim-daf jim-daf force-pushed the fix/security-issue-762 branch from 33ee6b8 to 9c2b828 Compare April 19, 2026 19:55
@jim-daf
fix(DefaultWebClient): allow file:// and javascript: navigations to f…
30f3f0a 
…all through (Justson#762)

Resolves Justson#762

DefaultWebClient.shouldOverrideUrlLoading explicitly handles http/https,
then runs through phone/email/intent/wechat/alipay handlers, and finally
intercepts every remaining URL when mIsInterceptUnkownUrl is true (the
default). file:// links between bundled assets (the most common pattern
for offline H5 apps that hit this method) end up in that final branch,
which returns true and silently drops the navigation. The same is true
of javascript: URLs.

Two new scheme constants (FILE_SCHEME / JAVASCRIPT_SCHEME) are added
near SCHEME_SMS, and both overloads of shouldOverrideUrlLoading return
false as soon as they see one of those schemes, letting WebView handle
the navigation itself.
@jim-daf jim-daf changed the title fix: restrict file access in WebView (3 files) fix(DefaultWebClient): allow file:// and javascript: navigations to fall through (#762) Apr 21, 2026
@jim-daf jim-daf force-pushed the fix/security-issue-762 branch from 9c2b828 to 30f3f0a Compare April 21, 2026 19:58
@jim-daf jim-daf marked this pull request as ready for review April 21, 2026 20:46
Copilot AI review requested due to automatic review settings April 21, 2026 20:46
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts DefaultWebClient.shouldOverrideUrlLoading to stop swallowing file:// and javascript: navigations when mIsInterceptUnkownUrl is enabled by default, restoring in-page navigation for locally bundled HTML (e.g., file:///android_asset/...) and javascript: links.

Changes:

  • Added FILE_SCHEME and JAVASCRIPT_SCHEME constants.
  • Updated both shouldOverrideUrlLoading overloads to return false for file:// and javascript: URLs so WebView can handle them.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread agentweb-core/src/main/java/com/just/agentweb/DefaultWebClient.java
Comment on lines +204 to 208
if (url.startsWith(FILE_SCHEME) || url.startsWith(JAVASCRIPT_SCHEME)) {
return false;
}
if (!webClientHelper) {
return super.shouldOverrideUrlLoading(view, request);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

本地html跳转无响应

2 participants

@jim-daf