The purpose of this library is to enable hosting local content (such as assets
or resources) under an http(s):// URL.
The traditional way to access local resources is to use file:///android_asset
or file://android_res/
URLs but using the file:
scheme poses problems with
the Same-Origin policy and
makes it problematic to reference local content from content loaded over
a secure (https:
) connection.
Using the WebView-Local-Server requires the following steps:
-
Create a
WebViewLocalServer
instance.WebViewLocalServer assetServer = new WebViewLocalServer(context);
-
Tell the server where to host the resources.
// The server uses a random prefix to make it harder for unauthorized content to guess. WebViewLocalServer.AssetHostingDetails details = assetServer.hostAssets("/www"); // Assuming you want to know the http address of assets/www/index.hml: String indexUrl = details.getHttpPrefix().buildUpon().appendPath("index.html").toString();
-
Hook up the server in the
shouldInterceptRequest
method.class MyWebViewClient extends WebViewClient { // For KitKat and earlier. @Override public WebResourceResponse shouldInterceptRequest(WebView view, String url) { return assetServer.shouldInterceptRequest(url); } // For Lollipop and above. @Override public WebResourceResponse shouldInterceptRequest(WebView view, WebResourceRequest request) { return assetServer.shouldInterceptRequest(request); } }
-
Consider using the following settings in order to maximize security:
webView.getSettings().setAllowFileAccessFromFileURLs(false); webView.getSettings().setAllowUniversalAccessFromFileURLs(false); // Keeping these off is less critical but still a good idea, especially // if your app is not using file:// or content:// URLs. webView.getSettings().setAllowFileAccess(false); webView.getSettings().setAllowContentAccess(false);
One potential problem of hosting local resources on a http(s):// URL is that
doing so may conflict with a real website. This means that local resources
should only be hosted on domains that the user has control of or which have
been dedicated for this purpose.
The androidplatform.net
domain has been specifically reserved for this
purpose and you are free to use it.
By default the WebViewLocalServer
will attempt to host assets/resources on
a random subdomain of androidplatform.net
(something like
123e4567-e89b-12d3-a456-426655440000.androidplatform.net
). This random
subdomain is chosen once per WebViewLocalServer
.
To find out which prefix has been assigned to your resources you need to look at
the AssetHostingDetails
instance returned by the call to hostAssets
or
hostResources
.
Should using a random subdomain be inconvenient for some reason it is possible
to use a fixed domain (like androidplatform.net
or a domain you own).
This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.