WebView.AddJavascriptInterface(Object, String) Method

Definition

Namespace:

Android.Webkit

Assembly:

Mono.Android.dll

Injects the supplied Java object into this WebView.

[Android.Runtime.Register("addJavascriptInterface", "(Ljava/lang/Object;Ljava/lang/String;)V", "GetAddJavascriptInterface_Ljava_lang_Object_Ljava_lang_String_Handler")]
public virtual void AddJavascriptInterface (Java.Lang.Object object, string name);

[<Android.Runtime.Register("addJavascriptInterface", "(Ljava/lang/Object;Ljava/lang/String;)V", "GetAddJavascriptInterface_Ljava_lang_Object_Ljava_lang_String_Handler")>]
abstract member AddJavascriptInterface : Java.Lang.Object * string -> unit
override this.AddJavascriptInterface : Java.Lang.Object * string -> unit

Parameters

object

Object

the Java object to inject into this WebView's JavaScript context. null values are ignored.

name

String

the name used to expose the object in JavaScript

Attributes

RegisterAttribute

Remarks

Injects the supplied Java object into this WebView. The object is injected into all frames of the web page, including all the iframes, using the supplied name. This allows the Java object's methods to be accessed from JavaScript. For applications targeted to API level android.os.Build.VERSION_CODES#JELLY_BEAN_MR1 and above, only public methods that are annotated with android.webkit.JavascriptInterface can be accessed from JavaScript. For applications targeted to API level android.os.Build.VERSION_CODES#JELLY_BEAN or below, all public methods (including the inherited ones) can be accessed, see the important security note below for implications.

Note that injected objects will not appear in JavaScript until the page is next (re)loaded. JavaScript should be enabled before injecting the object. For example:

class JsObject {
               {@literal @}JavascriptInterface
               public String toString() { return "injectedObject"; }
            }
            webview.getSettings().setJavaScriptEnabled(true);
            webView.addJavascriptInterface(new JsObject(), "injectedObject");
            webView.loadData("<!DOCTYPE html><title></title>", "text/html", null);
            webView.loadUrl("javascript:alert(injectedObject.toString())");

<strong>IMPORTANT:</strong> <ul> <li> This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting android.os.Build.VERSION_CODES#JELLY_BEAN or earlier. Apps that target a version later than android.os.Build.VERSION_CODES#JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target android.os.Build.VERSION_CODES#JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.</li> <li> JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety. </li> <li> Because the object is exposed to all the frames, any frame could obtain the object name and call methods on it. There is no way to tell the calling frame's origin from the app side, so the app must not assume that the caller is trustworthy unless the app can guarantee that no third party content is ever loaded into the WebView even inside an iframe.</li> <li> The Java object's fields are not accessible.</li> <li> For applications targeted to API level android.os.Build.VERSION_CODES#LOLLIPOP and above, methods of injected Java objects are enumerable from JavaScript.</li> </ul>

Java documentation for android.webkit.WebView.addJavascriptInterface(java.lang.Object, java.lang.String).

Portions of this page are modifications based on work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.