Hey folks, we recently merged a PR [1] which significantly changes how cordova- android loads web content in the webview and now need to decide how to move proceed.
Google introduced the WebViewAssetLoader to make it possible to use web content from a standard http(s) scheme instead of file:. This was done to remove security risks [2] and some apps with routing frameworks like React and Angular need this for proper routing. Because cordova-android 10 now uses AndroidX we could implement the WebViewAssetLoader and remove some deprecated or security related WebSettings and move the platform forward to current Android standards. This change may break some apps now because the origin changes if the app now runs on https://localhost for example instead of file://. Changing the origin means losing access to web storage like localstorage, indexedb etc. First and foremost we need to announce that change with the release for developers to act but additionally we could do: 1.) Default back to file:// and make the WebViewAssetLoader opt-in via config.xml. This exposes apps to the security risk: > Note: Apps should not open file:// URLs from any external source in WebView, don't enable this if your app accepts arbitrary URLs from external sources. It's recommended to always use androidx.webkit.WebViewAssetLoader <https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader> to access files including assets and resources over http(s):// schemes, instead of file:// URLs. To prevent possible security issues targeting Build.VERSION_CODES.Q <https://developer.android.com/reference/android/os/Build.VERSION_CODES#Q> and earlier, you should explicitly set this value to false. 2.) Add a migration for localstorage etc. to the platform to provide a smoother transition 3.) Use the WebViewAssetLoader only and don't migrate in the platform but point users to a plugin that helps them to manage their migration Personally I would favor to move to WebViewAssetLoader by default in this breaking release to get apps up to date and adapt to Androids changes. I don't know how many apps would be affected because I suspect many apps are using native storage solutions (SQLite etc.) or are running Ionics WebView with the https scheme already. I am doing both for my apps because of the many localstorage and non https scheme issues we had in the past and I suspect many did as well. Cordova Android 10 needs to be released rather sooner than later so please leave your feedback. Thank you very much and kind regards Niklas [1] https://github.com/apache/cordova-android/pull/1137 [2] https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)
