14

I have a solution where my Android WebView needs to first open a https url, then it will be redirected to a http url (it might be trying a http POST from the https site). This is not working, and my Android debug log says:

02-20 11:04:45.079 8538-8538/? E/WebViewCallback﹕ Blocked URL: [blocked] The page at 'https://xxx/' was loaded over HTTPS, but is submitting data to an insecure location at 'http://yyy': this content should also be submitted over HTTPS.

Are there any configuration options in the WebView that will allow this behaviour?

More info: it seems like a behaviour change in the Android SDK. A client compiled a long time ago does this without any complaints.

Kenneth
  • 3,957
  • 8
  • 39
  • 62

4 Answers4

31

There was a change in default WebView settings for mixed http/https content in Lollipop (API 20). See https://datatheorem.github.io/android/2014/12/20/webviews-andorid-lollipop/ for more details.

To allow https to redirect to http you need to set the mixed content mode to MIXED_CONTENT_ALWAYS_ALLOW

 if (Build.VERSION.SDK_INT >= 21) {
        webview.getSettings().setMixedContentMode( WebSettings.MIXED_CONTENT_ALWAYS_ALLOW );
    }

Note that setting MIXED_CONTENT_ALWAYS_ALLOW is bad from security point of view, and as you note in your answer, it is better to support https on both sites.

But for those that don't have control over the sites, this should work.

Anton G
  • 509
  • 5
  • 8
4

You can ignore ssl error by overriding onReceivedSslError() method.

@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
    handler.proceed(); // Ignore SSL certificate errors
}

Hope it will be work for you.

Arkar Aung
  • 3,554
  • 1
  • 16
  • 25
  • Thank you for your answer. Altho it might work (have not tried), it seems like an horrible idea to disable all SSL errors. – Kenneth Feb 20 '15 at 10:31
  • 2
    Yes, you're right. This is so completely defeats the purpose of having SSL. I don't find another way better than above. Check it . (https://code.google.com/p/android/issues/detail?id=2388#c15) – Arkar Aung Feb 20 '15 at 10:35
  • Note that Google won't allow you to publish your app with this code – joao2fast4u Feb 07 '18 at 14:53
0

From my research I don't think it is possible to disable this feature. I will support https in both sites instead. Safest anyway.

Kenneth
  • 3,957
  • 8
  • 39
  • 62
-2

Its worked for me 

 AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.webView.getContext());
  AlertDialog alertDialog = builder.create();
  String message = "Certificate error.";
  switch (error.getPrimaryError()) {
     case SslError.SSL_UNTRUSTED:
        message = "The certificate authority is not trusted.";
        break;
     case SslError.SSL_EXPIRED:
        message = "The certificate has expired.";
        break;
     case SslError.SSL_IDMISMATCH:
        message = "The certificate Hostname mismatch.";
        break;
     case SslError.SSL_NOTYETVALID:
        message = "The certificate is not yet valid.";
        break;
  }
  message += " Do you want to continue anyway?";
  alertDialog.setTitle("SSL Certificate Error");
  alertDialog.setMessage(message);
  alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {

     public void onClick(DialogInterface dialog, int which) {
        Log.d("CHECK", "Button ok pressed");
        // Ignore SSL certificate errors
        handler.proceed();
     }
  });
  alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {

     public void onClick(DialogInterface dialog, int which) {
        Log.d("CHECK", "Button cancel pressed");
        handler.cancel();
     }
  });
  alertDialog.show();
Ramesh Bandari
  • 148
  • 2
  • 6