diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index a76f5686fa..af8a3188bb 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -135,7 +135,6 @@
-
diff --git a/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt b/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
index 05a891d6a5..d45061600d 100644
--- a/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
+++ b/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
@@ -83,6 +83,12 @@ class OnlyOfficeActivity : AppCompatActivity() {
val url = intent.getStringExtra(ONLYOFFICE_URL_TAG)!!
val filename = intent.getStringExtra(ONLYOFFICE_FILENAME_TAG)!!
+
+ if (!isUrlFromTrustedDomain(url)) {
+ finish()
+ return@with
+ }
+
val headers = mapOf("Authorization" to "Bearer ${AccountUtils.currentUser?.apiToken?.accessToken}")
CookieManager.getInstance().setAcceptThirdPartyCookies(webView, true)
@@ -96,8 +102,9 @@ class OnlyOfficeActivity : AppCompatActivity() {
webViewClient = object : WebViewClientCompat() {
override fun shouldOverrideUrlLoading(view: WebView, request: WebResourceRequest): Boolean {
- popBackIfNeeded(request.url.toString())
- view.loadUrl(request.url.toString())
+ val redirectUrl = request.url.toString()
+ popBackIfNeeded(redirectUrl)
+ if (!isFinishing) view.loadUrl(redirectUrl)
return true
}
}
@@ -211,6 +218,16 @@ class OnlyOfficeActivity : AppCompatActivity() {
if (popBackNeeded) finish()
}
+ private fun isUrlFromTrustedDomain(url: String): Boolean {
+ return try {
+ val uri = Uri.parse(url)
+ val host = uri.host ?: return false
+ uri.scheme == "https" && (host.endsWith(".infomaniak.com") || host == "infomaniak.com")
+ } catch (e: Exception) {
+ false
+ }
+ }
+
private inner class OnlyOfficeWebChromeClient : WebChromeClient() {
override fun onProgressChanged(view: WebView, newProgress: Int) = with(binding) {
progressBar.progress = newProgress