Filter out messages not coming from the frontend external bus#6680
Filter out messages not coming from the frontend external bus#6680
Conversation
TimoPtr
force-pushed
the
feature/only_allow_main_frame
branch
from
97203fd to
2b59c35
Compare
Test Results 213 files 221 suites 9m 32s ⏱️ Results for commit 2b59c35. ♻️ This comment has been updated with latest results. |
There was a problem hiding this comment.
Pull request overview
This PR updates WebViewActivity’s native↔frontend bridge so the app only reacts to messages originating from the currently loaded Home Assistant frontend, using WebViewFeature.WEB_MESSAGE_LISTENER (externalAppV2) when available and falling back to the legacy JS interface (externalApp) otherwise.
Changes:
- Added a new
externalAppV2bridge usingWebViewCompat.addWebMessageListenerwith main-frame + same-origin filtering. - Refactored legacy
externalApphandling into shared handlers (handleGetExternalAuth,handleRevokeExternalAuth,handleExternalBusMessage). - Moved blob-download and theme-change callbacks to flow through the external bus and re-register the bridge on URL load.
| Timber.d("External bus $message") | ||
| webView.post { | ||
| val json = message.toJsonObjectOrNull() ?: return@post | ||
| handleExternalBusMessage(json) |
There was a problem hiding this comment.
Timber.d("External bus $message") / Timber.d("External bus $payload") logs the entire bus message. These payloads can contain sensitive user/server data; consider logging only the message type/id (and use sensitive(...) if any values are needed) to avoid leaking data and reduce log noise.
| Timber.d("External bus $message") | |
| webView.post { | |
| val json = message.toJsonObjectOrNull() ?: return@post | |
| handleExternalBusMessage(json) | |
| val json = message.toJsonObjectOrNull() | |
| val messageType = json?.getStringOrNull("type") ?: "unknown" | |
| val messageId = json?.getStringOrNull("id") | |
| if (messageId != null) { | |
| Timber.d("External bus type=$messageType id=${sensitive(messageId)}") | |
| } else { | |
| Timber.d("External bus type=$messageType") | |
| } | |
| webView.post { | |
| val parsedJson = json ?: return@post | |
| handleExternalBusMessage(parsedJson) |
There was a problem hiding this comment.
@jpelgrom It was already logging the payload before, lemme know what you think. It might be enough to display the ID and type.
There was a problem hiding this comment.
It might be nice to limit logging here to be safe, but I'd still prefer the full message in debug builds
jpelgrom
left a comment
jpelgrom
left a comment
There was a problem hiding this comment.
Nice improvement to use the web message listener.
This PR only concern the
WebViewActivityand not theFrontendScreen(this is going to be done in a second PR).
Do you intend to build on this and extract some code/constants from the activity, or duplicate code?
I'm going to change things within the |
jpelgrom
left a comment
jpelgrom
left a comment
There was a problem hiding this comment.
Nice modernisation!
Had to wait for a bit to make sure 2026.4.2 shipped to avoid breaking in case of last minute changes, but it's available now.
TimoPtr
added
the
WebViewActivity replacement
Summary
We only want to react on messages sent from the frontend. This PR only concern the
WebViewActivityand not theFrontendScreen(this is going to be done in a second PR). We've introduced a newexternalAppV2to be able to use theWebViewFeature.WEB_MESSAGE_LISTENERthat allow us to properly check the origin of the message, if not available we simply fallback to the old JS injection.I decided also to move the JS function that we inject into the externalBus, the reason behind this change is that in the frontend we can add this message in the codebase as well so that it never conflict with the one we are injecting like
handleBlob.The JS interface is now added/removed each time we load the URL instead of directly from the
onCreateit allows us to properly check the server version.This requires home-assistant/frontend#51446 to be merged. If it not merged by Friday we will need to update the min version for the support of the V2.
Checklist
Any other notes