net::ERR_CLEARTEXT_NOT_PERMITTED when adding a http:// widget

[vranki]

Describe the bug

Adding a widget to room that is behind http (not https) works fine on Element Desktop, but on Android it gives this error. I don't see a reason to limit widgets to https only so this smells like a bug.

To Reproduce Steps to reproduce the behavior:

1. Go to Element Desktop
2. /addwidget http://some.url/
3. Try to open the widget on Android
4. See error

Expected behavior Widget should appear as on desktop.

Screenshots

Smartphone (please complete the following information):

• Device: Cosmo Communicator

Additional context

• App version and store 1.0.16 / gplay
• Homeserver: hacklab.fi

[tobymurray]

Very naively (haven't done Android development in a long time), looking at network_security_config it seems like cleartext is only allowed to localhost, the emulator, and onion are allowed in cleartext.

Looking at the docs, this seems to be driven by Android:

Starting with Android 9 (API level 28), cleartext support is disabled by default.

The same issue arises trying to connect to a local Matrix server without SSL. It works on desktop but not on mobile.