@exodus/react-native-webview 13.16.0-exodus.5 → 13.16.0-exodus.7

package/android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java

@@ -1,6 +1,5 @@
 package com.reactnativecommunity.webview;
 
-import android.annotation.SuppressLint;
 import android.graphics.Rect;
 import android.net.Uri;
 import android.text.TextUtils;
@@ -9,7 +8,6 @@ import android.view.Menu;
 import android.view.MenuItem;
 import android.view.MotionEvent;
 import android.view.View;
-import android.webkit.JavascriptInterface;
 import android.webkit.ValueCallback;
 import android.webkit.WebChromeClient;
 import android.webkit.WebView;
@@ -55,8 +53,6 @@ public class RNCWebView extends WebView implements LifecycleEventListener {
     String injectedJSBeforeContentLoaded;
     protected static final String JAVASCRIPT_INTERFACE = "ReactNativeWebView";
     protected @Nullable
-    RNCWebViewBridge fallbackBridge;
-    protected @Nullable
     WebViewCompat.WebMessageListener bridgeListener = null;
 
     protected boolean messagingEnabled = false;
@@ -246,6 +242,15 @@ public class RNCWebView extends WebView implements LifecycleEventListener {
             this.bridgeListener = new WebViewCompat.WebMessageListener() {
               @Override
               public void onPostMessage(@NonNull WebView view, @NonNull WebMessageCompat message, @NonNull Uri sourceOrigin, boolean isMainFrame, @NonNull JavaScriptReplyProxy replyProxy) {
+                // Exodus: only accept messages from the top frame. The injected
+                // ReactNativeWebView object is available in every frame (subframes
+                // included), so without this guard any embedded iframe — even a
+                // cross-origin one that happens to pass the origin whitelist — could
+                // reach the native onMessage handler. This mirrors the iOS bridge,
+                // which is injected with forMainFrameOnly:YES.
+                if (!isMainFrame) {
+                  return;
+                }
                 RNCWebView.this.onMessage(message.getData(), sourceOrigin.toString());
               }
             };
@@ -257,10 +262,14 @@ public class RNCWebView extends WebView implements LifecycleEventListener {
             );
           }
         } else {
-          if (fallbackBridge == null) {
-            fallbackBridge = new RNCWebViewBridge(webView);
-            addJavascriptInterface(fallbackBridge, JAVASCRIPT_INTERFACE);
-          }
+          // Exodus: the legacy addJavascriptInterface bridge injects ReactNativeWebView
+          // into every frame and gives the native side no way to tell which frame a
+          // message came from, so it cannot enforce the top-frame restriction above.
+          // WEB_MESSAGE_LISTENER is supported on every WebView new enough to clear
+          // hardMinimumChromeVersion (100, see src/WebView.android.tsx), so this branch
+          // is unreachable in practice. Fail closed rather than install an unhardenable
+          // bridge.
+          FLog.w("RNCWebView", "WEB_MESSAGE_LISTENER is unsupported on this WebView; ReactNativeWebView messaging bridge not installed.");
         }
         injectJavascriptObject();
     }
@@ -275,7 +284,6 @@ public class RNCWebView extends WebView implements LifecycleEventListener {
       }
     }
 
-    @SuppressLint("AddJavascriptInterface")
     public void setMessagingEnabled(boolean enabled) {
         if (messagingEnabled == enabled) {
             return;
@@ -423,30 +431,6 @@ public class RNCWebView extends WebView implements LifecycleEventListener {
       return this.getThemedReactContext().getReactApplicationContext();
   }
 
-  protected class RNCWebViewBridge {
-        private String TAG = "RNCWebViewBridge";
-        RNCWebView mWebView;
-
-        RNCWebViewBridge(RNCWebView c) {
-          mWebView = c;
-        }
-
-        /**
-         * This method is called whenever JavaScript running within the web view calls:
-         * - window[JAVASCRIPT_INTERFACE].postMessage
-         */
-        @JavascriptInterface
-        public void postMessage(String message) {
-            if (mWebView.getMessagingEnabled()) {
-                // Post to main thread because `mWebView.getUrl()` requires to be executed on main.
-                mWebView.post(() -> mWebView.onMessage(message, mWebView.getUrl()));
-            } else {
-                FLog.w(TAG, "ReactNativeWebView.postMessage method was called but messaging is disabled. Pass an onMessage handler to the WebView.");
-            }
-        }
-    }
-
-
     protected static class ProgressChangedFilter {
         private boolean waitingForCommandLoadUrl = false;
 

package/apple/RNCWebViewDecisionManager.m

@@ -3,11 +3,15 @@
 /**
  * Exodus: Thread-safe singleton that manages navigation decision handlers.
  *
+ * All public methods use @synchronized for thread safety, and decision
+ * handlers are invoked outside the lock to avoid deadlocks
+ * (upstream react-native-webview#3916).
+ *
  * Security improvements over upstream:
  * - Uses NSInteger (64-bit) instead of int to prevent overflow
  * - Adds collision checking to skip identifiers still in use
- * - All public methods use @synchronized for thread safety
  * - Explicitly copies blocks to heap to prevent use-after-free
+ * - Denies navigation by default if JS does not respond within 500ms
  * - Provides cancelDecisionForLockIdentifier: for cleanup on WebView dealloc
  */
 @implementation RNCWebViewDecisionManager
@@ -40,14 +44,17 @@
         // if JS responded in time.
         NSInteger capturedIdentifier = lockIdentifier;
         dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(500 * NSEC_PER_MSEC)), dispatch_get_main_queue(), ^{
+            DecisionBlock pendingHandler;
             @synchronized (self) {
-                DecisionBlock pendingHandler = [self.decisionHandlers objectForKey:@(capturedIdentifier)];
-                if (pendingHandler != nil) {
-                    RCTLogWarn(@"Navigation decision timeout for lock %ld, denying by default", (long)capturedIdentifier);
-                    pendingHandler(NO);
-                    [self.decisionHandlers removeObjectForKey:@(capturedIdentifier)];
+                pendingHandler = [self.decisionHandlers objectForKey:@(capturedIdentifier)];
+                if (pendingHandler == nil) {
+                    return;
                 }
+                [self.decisionHandlers removeObjectForKey:@(capturedIdentifier)];
             }
+            // Invoke outside the lock, as in setResult:forLockIdentifier:.
+            RCTLogWarn(@"Navigation decision timeout for lock %ld, denying by default", (long)capturedIdentifier);
+            pendingHandler(NO);
         });
 
         return lockIdentifier;
@@ -55,15 +62,20 @@
 }
 
 - (void)setResult:(BOOL)shouldStart forLockIdentifier:(NSInteger)lockIdentifier {
+    // The handler is captured and removed under the lock, then invoked OUTSIDE
+    // it (upstream react-native-webview#3916). The handler hops to the main
+    // queue and can trigger another navigation that re-enters this class, so
+    // holding the lock across its invocation risks deadlock.
+    DecisionBlock handler;
     @synchronized (self) {
-        DecisionBlock handler = [self.decisionHandlers objectForKey:@(lockIdentifier)];
+        handler = [self.decisionHandlers objectForKey:@(lockIdentifier)];
         if (handler == nil) {
             RCTLogWarn(@"Lock not found for identifier: %ld", (long)lockIdentifier);
             return;
         }
-        handler(shouldStart);
         [self.decisionHandlers removeObjectForKey:@(lockIdentifier)];
     }
+    handler(shouldStart);
 }
 
 

package/package.json

@@ -10,7 +10,7 @@
     "Thibault Malbranche <malbranche.thibault@gmail.com>"
   ],
   "license": "MIT",
-  "version": "13.16.0-exodus.5",
+  "version": "13.16.0-exodus.7",
   "homepage": "https://github.com/ExodusMovement/react-native-webview#readme",
   "scripts": {
     "android": "react-native run-android",