Skip to content

Instantly share code, notes, and snippets.

@n1lesh
Last active August 28, 2022 23:53
Show Gist options
  • Save n1lesh/1ba55eae709712ebb38bc65acda0f19e to your computer and use it in GitHub Desktop.
Save n1lesh/1ba55eae709712ebb38bc65acda0f19e to your computer and use it in GitHub Desktop.
Enable Safe Browsing in WebViews - Android O
<manifest>
<application>
. . .
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
. . .
</application>
</manifest>
@nfischer
Copy link

nfischer commented Nov 8, 2017

Hi there! I'm one of the developers on WebView Safe Browsing. Thanks for the blog post! I have a couple comments I thought you might like to address/fix:

It looks like the EnableSafeBrowsing tag is in the wrong spot. It should be:

<manifest>
    <application>
        <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
            android:value="true" />
        ...
    </application>
</manifest>

I assume you got this from this blog post (that post unfortunately made a mistake).


The other thing, your blog post (I assume you manage this, correct me if I'm mistaken) seems to confuse WebView's separate renderer process with the Safe Browsing feature. Safe Browsing is about blocking known-malicious web pages (malware, phishing), and the app is responsible for enabling this feature (Chrome has a similar feature, and has some documentation here).

Multiprocess (aka separate renderer process) is a separate feature. This is enabled by default for all devices running O and above. Based on your description, this sounds like the topic you were focusing on:

This allows the host app to stay away from crashes in renderer process as well as exploit attempts made through malicious content. The renderer process running in its separate process is given a limited set of resources to use, like it can't do disk write or connect to network on its own limiting the idea of malware attack.

@n1lesh
Copy link
Author

n1lesh commented Dec 22, 2017

Hey @nfischer

Thanks for the correction mate. I wrote that post just after the announcement was made and never really got to try the feature myself, so yeah, I believe I made an honest mistake trusting a post by Google people, sorry! 😞 .

The second part you addressed did bug me at the time of writing that post. As I said, never been able to work with WebViews, I have played with CustomTabs though. I will make corrections to that post soon to reflect the changes. Also, on your part, it would be really nice if you could manage to get that original post corrected. A lot of people (like me) depend on announcement posts like that.

Thanks again for the clarification.

@nfischer
Copy link

@n1lesh Ah, just saw this comment. Sorry for the late reply!

Yeah, it's unfortunate that the original blog post was incorrect. Our team must have missed it during review, so that's on us. The mistake slipped into this post as well, but we've since fixed the error 😄

I'll look into who owns that original blog post and see if we can fix that one too.

Glad to hear you've liked Chrome Custom Tabs. That's another great product from the team, and provides a lot of Chrome's power and safety, embedded in your app.

Feel free to ping me if you have any questions on either Safe Browsing or multiprocess, or (even better) ask a question on the android-webview-dev mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment