3/3
At the end of the day this isn't super consequential though, because a WebView will default to HTTPS if the domain has HSTS preloading configured (I'd be more concerned about MitM potential resulting from cleartextTrafficPermitted)
At the end of the day this isn't super consequential though, because a WebView will default to HTTPS if the domain has HSTS preloading configured (I'd be more concerned about MitM potential resulting from cleartextTrafficPermitted)
March 20, 2024 at 11:16 AM
3/3
At the end of the day this isn't super consequential though, because a WebView will default to HTTPS if the domain has HSTS preloading configured (I'd be more concerned about MitM potential resulting from cleartextTrafficPermitted)
At the end of the day this isn't super consequential though, because a WebView will default to HTTPS if the domain has HSTS preloading configured (I'd be more concerned about MitM potential resulting from cleartextTrafficPermitted)
2/?
Consider this scenario: you can trick a WebView into opening an arbitrary URL with a string such as "attacker[.]com/?https://victim[.]com"
This normally only works with cleartextTrafficPermitted, because otherwise it will trigger a "plaintext traffic" error.
Consider this scenario: you can trick a WebView into opening an arbitrary URL with a string such as "attacker[.]com/?https://victim[.]com"
This normally only works with cleartextTrafficPermitted, because otherwise it will trigger a "plaintext traffic" error.
March 20, 2024 at 11:15 AM
2/?
Consider this scenario: you can trick a WebView into opening an arbitrary URL with a string such as "attacker[.]com/?https://victim[.]com"
This normally only works with cleartextTrafficPermitted, because otherwise it will trigger a "plaintext traffic" error.
Consider this scenario: you can trick a WebView into opening an arbitrary URL with a string such as "attacker[.]com/?https://victim[.]com"
This normally only works with cleartextTrafficPermitted, because otherwise it will trigger a "plaintext traffic" error.