From 04a454f6a746fccb7181426637e7cf0c73d665ce Mon Sep 17 00:00:00 2001
From: Shimi Zhang <ctzsm@google.com>
Date: Mon, 26 Aug 2019 11:01:12 -0700
Subject: [PATCH] aw: Correct doc of addJavascriptInterface()

The Javadoc of addJavascriptInterface() mentioned that the injected
Java object will be injected to main frame, but this is not telling
a full picture. The current implementation will inject the Java
object to all the frames actually.

This CL corrected the misleading wording and add a new warning to
explicitly call it out as a security risk.

Bug: 113336656
Test: make ds-docs
Change-Id: Ia79381d1ab38afa963ea7365526749c14e25238c
---
 core/java/android/webkit/WebView.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/java/android/webkit/WebView.java b/core/java/android/webkit/WebView.java
index aed6c9c3ab6aa..c50c08ead1959 100644
--- a/core/java/android/webkit/WebView.java
+++ b/core/java/android/webkit/WebView.java
@@ -1840,8 +1840,8 @@ public class WebView extends AbsoluteLayout
 
     /**
      * Injects the supplied Java object into this WebView. The object is
-     * injected into the JavaScript context of the main frame, using the
-     * supplied name. This allows the Java object's methods to be
+     * injected into all frames of the web page, including all the iframes,
+     * using the supplied name. This allows the Java object's methods to be
      * accessed from JavaScript. For applications targeted to API
      * level {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1}
      * and above, only public methods that are annotated with
@@ -1880,6 +1880,11 @@ public class WebView extends AbsoluteLayout
      * thread of this WebView. Care is therefore required to maintain thread
      * safety.
      * </li>
+     * <li> Because the object is exposed to all the frames, any frame could
+     * obtain the object name and call methods on it. There is no way to tell the
+     * calling frame's origin from the app side, so the app must not assume that
+     * the caller is trustworthy unless the app can guarantee that no third party
+     * content is ever loaded into the WebView even inside an iframe.</li>
      * <li> The Java object's fields are not accessible.</li>
      * <li> For applications targeted to API level {@link android.os.Build.VERSION_CODES#LOLLIPOP}
      * and above, methods of injected Java objects are enumerable from