5

Situation

In our Android app (Xamarin), we open a web page using an ActionView intent. The code looks like this:

Intent intent = new Intent((string)Intent.ActionView, Android.Net.Uri.Parse(args.url));           
           
intent.AddFlags(ActivityFlags.NewTask);

The opened page at some point does a JS redirect, with a line like this:

window.location = '...';

We tried many different variations of that line, including window.location.href = '...', window.location.assign('...'); and some more. All show the same behavior.

Problem

This has worked fine for years now, in all browsers - but now we ran into a problem, when the browser on the android device is the Edge browser:

When the browser tab is initially opened by the intent, the window.location = '...' line in Javascript is just ignored by the browser. No error message - just ignored.

However, if that same browser tab with exactly the same URL is opened manually (either by reloading or by copying and pasting the URL), the JS redirect is executed just fine.

Question

How do we fix this, how do we make the JS redirect reliably work?

My guess is that we are running into a security feature, which prevents JS redirects in browser tabs that the user has never interacted with.

Is there something (maybe an intent flag?) to circumvent this? We already tried the flag GrantWriteUriPermission, but it did not help.

Possible duplicates

Android Browser Facebook Redirect Does Not Always Trigger Intent for URL :
The proposed situation of setting the URL on a link and faking a click on it did not work.

Jost
  • 5,948
  • 8
  • 42
  • 72
  • It may be that the javascript has been blocked, especially when the website is trying to load an unauthorized script into the browser and trying to invade data. You can try to run javascript in Android Edge, just refer to [this link](https://browserhow.com/how-to-allow-or-block-javascript-execution-on-edge-for-android/). – Xudong Peng Sep 15 '21 at 09:41
  • @XudongPeng: Javascript is defintely allowed on the page, and no external scripts are included - I added logging statements (`console.log`) everywhere, and all of them were executed, visible in the connected desktop edge. Only the above `window.location = '...';` statement was not correctly executed. I also surrounded it with a `try {...} catch ()`, which did not catch anything. – Jost Sep 15 '21 at 12:26
  • Could you provide the url for us to test? – Wendy Zang - MSFT Sep 21 '21 at 09:08
  • @MSFT No, that's not possible, sorry. You need to open the site from an App or something, without user interaction. – Jost Sep 21 '21 at 11:37
  • We used an empty page to do a simple test on it, and it can achieve page redirection. `window.location = 'https://www.google.com/';` Here is my [test url](https://pxd-1004.github.io/redirectTest.html).I'm not sure if there are other problems with the code, so I am afraid I can't reproduce your problem. You can also try to send feedback to the relevant team. Click the three dots icon `(...)` at the bottom of the browser and select the send feedback option. – Xudong Peng Sep 22 '21 at 07:17
  • Is the url `https` or `http`? Have you tried to create a dummy `` tag and emulate a click? Usually this is due to anti popup features trying to prevent unsolicited actions. – Newbie Sep 23 '21 at 14:54
  • @Newbie: The URL is https, and yes, we tried to create a dummy anchor and click it. We tried to do the click in various ways: Use the basic `click` event, create an event manually and trigger it, and some more things. – Jost Sep 24 '21 at 06:25

1 Answers1

0

Microsoft Edge security

Microsoft Edge recently fixed an issue regarding XSS Targeting Non-Script Elements (June 24, 2021).

The vulnerability was found by two researcher when they visited a website in another language via the Microsoft Edge browser and attempted to translate the page. The goal of the recent fix by Microsoft is to avoid vulnerability regarding accessing dynamically to a content from a third party application and specifically in the case of browser redirection. They need to act quickly because the vulnerability is quite huge.

In order to mitigate a large class of potential cross-site scripting issues, the Microsoft Edge Extension system has incorporated the general concept of Content Security Policy (CSP)

Ok, but ... is there any solution?

Maybe you can find a solution to solve your issue here, in particular the part concerning the <button onclick="...">.

Inline code is considered harmful in concept of CSP and microsoft recommend some good practices :

1 - The clickHandler definition must be moved into an external JavaScript

2 - The inline event handler definitions must be rewritten in terms of addEventListener and extracted into your external js file. If you are currently starting your program using code like <body onload="main();">, consider replacing it by hooking into the DOMContentLoaded event of the document, or the load event of the window, depending on your requirements. Use the former, since it generally triggers more quickly.

3 - Function inside onclick call must be rewritten to avoid converting the string of function into JavaScript for running.

The code exemple of the external .js file cited in the documentation look like this :

function awesome() {
// Do something awesome!
}

function totallyAwesome() {
// do something TOTALLY awesome!
}

function awesomeTask() {
    awesome();
    totallyAwesome();
}

function clickHandler(e) {
    setTimeout(awesomeTask, 1000);
}

function main() {
    // Initialization work goes here.
}

// Add event listeners once the DOM has fully loaded by listening for the
// `DOMContentLoaded` event on the document, and adding your listeners to
// specific elements when it triggers.
document.addEventListener('DOMContentLoaded', function () {
    document.querySelector('button').addEventListener('click', 
clickHandler);
    main();
});

Hope it's helps

PaulCrp
  • 624
  • 1
  • 8
  • 19
  • Thanks for your answer - I am not sure if this is actually the problem we are facing. Could you elaborate a bit? What I don't understand: The patch fixes the execution of scripts in non-script tags. But how does that relate to our problem? – Jost Sep 23 '21 at 14:57
  • I change my post, hope you can find you're solution and explanation here – PaulCrp Sep 24 '21 at 09:18