From f4e58eb83b94d1f5e43eb5736f006afe278bb86f Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Fri, 12 Jun 2026 09:08:13 +0000 Subject: [PATCH] fix(js_widget): disable Android WebView debugging in release builds AndroidWebViewController.enableDebugging(true) was called unconditionally, allowing chrome://inspect to attach to every JsWidget WebView in production. Gate debugging behind kDebugMode and add regression tests. Co-authored-by: Sharjeel Yunus --- modules/js_widget/lib/src/mobile/js_widget.dart | 5 ++++- .../lib/src/mobile/webview_debug_policy.dart | 12 ++++++++++++ .../test/webview_debug_policy_test.dart | 16 ++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 modules/js_widget/lib/src/mobile/webview_debug_policy.dart create mode 100644 modules/js_widget/test/webview_debug_policy_test.dart diff --git a/modules/js_widget/lib/src/mobile/js_widget.dart b/modules/js_widget/lib/src/mobile/js_widget.dart index 9d5fd6c75..0413a4aea 100644 --- a/modules/js_widget/lib/src/mobile/js_widget.dart +++ b/modules/js_widget/lib/src/mobile/js_widget.dart @@ -1,4 +1,5 @@ import 'package:flutter/material.dart'; +import 'package:js_widget/src/mobile/webview_debug_policy.dart'; // Import for Android features. import 'package:webview_flutter_android/webview_flutter_android.dart'; // Import for iOS features. @@ -91,7 +92,9 @@ class JsWidgetState extends State { ) ..loadHtmlString(getHtmlContent()); if (controller.platform is AndroidWebViewController) { - AndroidWebViewController.enableDebugging(true); + if (androidWebViewDebuggingEnabled()) { + AndroidWebViewController.enableDebugging(true); + } (controller.platform as AndroidWebViewController) .setMediaPlaybackRequiresUserGesture(false); } diff --git a/modules/js_widget/lib/src/mobile/webview_debug_policy.dart b/modules/js_widget/lib/src/mobile/webview_debug_policy.dart new file mode 100644 index 000000000..bc6eee7a1 --- /dev/null +++ b/modules/js_widget/lib/src/mobile/webview_debug_policy.dart @@ -0,0 +1,12 @@ +import 'package:flutter/foundation.dart'; + +/// Whether Android WebView remote debugging may be enabled for this build. +/// +/// Release/profile builds must return false so production WebViews cannot be +/// inspected or scripted via chrome://inspect (CWE-489). +bool androidWebViewDebuggingEnabled() => + androidWebViewDebuggingEnabledForBuild(isDebugBuild: kDebugMode); + +/// Build-mode gate used by [androidWebViewDebuggingEnabled] and unit tests. +bool androidWebViewDebuggingEnabledForBuild({required bool isDebugBuild}) => + isDebugBuild; diff --git a/modules/js_widget/test/webview_debug_policy_test.dart b/modules/js_widget/test/webview_debug_policy_test.dart new file mode 100644 index 000000000..6c9946a69 --- /dev/null +++ b/modules/js_widget/test/webview_debug_policy_test.dart @@ -0,0 +1,16 @@ +import 'package:flutter_test/flutter_test.dart'; +import 'package:js_widget/src/mobile/webview_debug_policy.dart'; + +void main() { + group('androidWebViewDebuggingEnabledForBuild', () { + test('disables debugging for release/profile builds', () { + expect(androidWebViewDebuggingEnabledForBuild(isDebugBuild: false), + isFalse); + }); + + test('allows debugging only for debug builds', () { + expect( + androidWebViewDebuggingEnabledForBuild(isDebugBuild: true), isTrue); + }); + }); +}