mobilesdk-bot
commented
2 months ago | 3 Warnings | |
|---|---|
| :warning: | libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginActivity.kt#L199 - Using setJavaScriptEnabled can introduce XSS vulnerabilities into your application, review carefully |
| :warning: | libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/OAuthWebviewHelper.kt#L207 - Using setJavaScriptEnabled can introduce XSS vulnerabilities into your application, review carefully |
| :warning: | libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/ServerPickerActivity.java#L261 - The indentation string here is different from on the previous line (" " vs \t) |
Tests results for SalesforceSDK
Generated by :no_entry_sign: Danger
This singular variable has always controlled too many distinct scenarios:
Intent.FLAG_ACTIVITY_NO_HISTORYshould be set on the custom tab activity.This leads to bad scenarios like: you need to not reload on background for MFA so you sacrifice the correct server being loaded from the picker when you switch. <- That sucks.
I believe all of these scenarios only have one real correct choice and it is to not reload ever, unless the server changes. If a reload is needed for some extreme case we cannot foresee the manual option remains.
This is the PR that originally added shouldReloadPage, which set it to true by default. This was done to make it possible to transition between webview and custom tab, however that also requires the no history flag which breaks MFA. To work around this I have decided to relaunch the LoginActivity instead of reloading the webview (which feels a little bad) to support this transition. This is necessary since there is no way to programmatically close a custom tab 🙄. The only time we need to reload the webview is after we fetch the auth config because we don't know if login should be in a custom tab or not until then.
P.S: An added benefit is this removes a reason for apps to subclass
LoginActivityand override the defaultOAuthWebviewHelper.