3

Google oAuth is not supported in android webView. Google recommends to use chrome custom tab for proceeding oAuth. I have also requirements of js call from my web app to native. How to configure to call native methods from web app using chrome custom tab in android similarly like js interface in webView?

Update 1

This mod Chang marked the post as duplicate but the post is different. I don't want to run any JS in my web app from native. I want to invoke method from web app to my native code via JS interface. Is there any way for CCT?

Community
  • 1
  • 1
Sazzad Hissain Khan
  • 37,929
  • 33
  • 189
  • 256
  • Possible duplicate of [Can I inject Javascript code into Chrome Custom Tabs](https://stackoverflow.com/questions/34732496/can-i-inject-javascript-code-into-chrome-custom-tabs) – Morrison Chang Jul 10 '19 at 06:01
  • 1
    @MorrisonChang your marked post pointed different question. Please see my update. Requesting to revert your close vote. – Sazzad Hissain Khan Jul 10 '19 at 06:09
  • Unclear how `invoke method from web app to my native code via JS interface` wouldn't have the same security issues as in linked duplicate as that would presume the web content "know" something outside of web container (and get a result back). I think you are stuck with only using known web APIs (camera, device orientation, etc) and URI intercept. – Morrison Chang Jul 10 '19 at 06:52
  • 1
    @MorrisonChang my suggestion is, please discuss in comment/answer or if you feel edit the post before marking it duplicate on a hurry. This is a specific question for single flow where native has no capability of changing web-app or anything (i.e. js injection). There is no selected answer yet and security concern discussed in most voted answer in your marked post nowhere related to my question. Requesting you again to revert your close vote with respect. – Sazzad Hissain Khan Jul 10 '19 at 07:03
  • `Unclear how invoke method from web app to my native code via JS interface wouldn't have the same security issues as in linked duplicate` ... because communication is not the same as code injection. If the site has a medium for communication and the app has a way to interpret it, it's reasonable to assume the page was coded with the app in mind. It shouldn't be assumed that request for communication is the same as request for code injection. When tech prevents this, it just means basic communication needs to go through a bloated webservice, which is silly when the app's right there. – tresf Mar 10 '20 at 22:49

1 Answers1

2

Based on Can I Inject Javascript Code into Chrome Custom Tabs the answer appears to be no.

Chrome Custom Tab is based on Chrome itself and has the same security model. The web content is only allowed access to the Web APIs (camera, device orientation, etc.) and has no access to the native app. At best the native app can capture a URI.

Even the Chrome Custom Tab documentation state that the way for a native app to handle content:

Some URLs can be handled by native applications. If the user has the Twitter app installed and clicks on a link to a tweet. She expects that the Twitter application will handle it.

Before opening an url from your application, check if a native alternative is available and use it.

Implies that either a native app handles a URL or not. My interpretation of Chrome Custom Tab is a skinnable Chrome component adjacent to the native app rather than internal to a native app like a WebView where a Javascript bridge exists.

Your desire for a Javascript bridge from a web app would mean that there would be a arbitrary way for any website code to interact outside of the web container. The rational as to why that is not allowed is given as the responses in the first link.

Morrison Chang
  • 11,691
  • 3
  • 41
  • 77