Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebView with inline HTML #5

Closed
rodrigobdz opened this issue Aug 1, 2018 · 4 comments
Closed

WebView with inline HTML #5

rodrigobdz opened this issue Aug 1, 2018 · 4 comments
Labels
🗣 Discussion This label identifies an ongoing discussion on a subject

Comments

@rodrigobdz
Copy link

rodrigobdz commented Aug 1, 2018
edited
Loading

WebView not working any more as expected when used with inline HTML.

Goal

Discuss the breaking change before sending a PR to improve the current docs. It seems counterintuitive to add an originWhitelist wildcard in order to render inline HTML.

Background

This issue was migrated from facebook/react-native/issues/20464.

The regression was introduced in commit 634e7e1 by @mmmulani with commit message:

iOS only: Breaking Change: Restrict WebView to only http(s) URLs

Summary:
To prevent people from linking file:// or other URLs inside RN WebViews, default to not allowing those types of URLs.
This adds the originWhitelist to specify other schemes or domains to be allowed.
If the url is not allowed, it will be opened in Safari/by the OS instead.

This is not well documented in CHANGELOG which leads to unexpected breaking behavior. It is also not described as an iOS specific change.

What was the rationale behind the breaking change?

Expected Behavior

Use inline HTML in WebView by passing only the HTML code to render.

import React from 'react'
import { WebView } from 'react-native'

export default () => (
  <WebView
    source={{ html: '<h1>Hello world</h1>' }}
  />
)

Actual Behavior

WebView expects originWhitelist along with source to render inline HTML as suggested in in #19986's comment.

import React from 'react'
import { WebView } from 'react-native'

export default () => (
  <WebView
    originWhitelist={['*']}
    source={{ html: '<h1>Hello world</h1>' }}
  />
)
@kelset kelset added the 🗣 Discussion This label identifies an ongoing discussion on a subject label Aug 1, 2018
@axe-fb
Copy link
Collaborator

axe-fb commented Aug 6, 2018
edited
Loading

@rodrigobdz - This change was made for security reasons. I understand that this is a breaking change, but by enforcing this, we wanted to ensure that WebViews are secure by default.

Also, I am not sure if this issue belongs in this repo as opposed to the React Native core repo, where we discuss issues. Not sure if others feel the same.

@kelset
Copy link
Member

kelset commented Aug 6, 2018

Uhm I guess that since it's something that will not be reversed, and that @axe-fb provided an explanation for why it was changed, then yeah I think that we can close this and @rodrigobdz if you want to submit a PR to the docs clarifying how this affects WebView feel free to mention me in the PR so that I can review & merge asap.

@kelset kelset closed this as completed Aug 6, 2018
@axe-fb
Copy link
Collaborator

axe-fb commented Aug 6, 2018

@rodrigobdz - I am also sorry we had to make this breaking change. This was filed as a security issue for all existing RN apps :(

@rodrigobdz
Copy link
Author

Thanks for the clarification @axe-fb. I will submit a PR this week to complement the docs with a minimal example on how to use inline HTML in WebView.

@rodrigobdz rodrigobdz mentioned this issue Aug 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🗣 Discussion This label identifies an ongoing discussion on a subject
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rodrigobdz @kelset @axe-fb