From 6ffa86d327aa87ebdc3cc1d731759e86c7590253 Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 20:22:10 +0200 Subject: [PATCH] Use MIXED_CONTENT_COMPATIBILITY_MODE in WebView setup Six WebView setups in TMessagesProj called setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW) across: - ArticleViewer (Instant View renderer) - PaymentFormActivity (2 occurrences -- payment form + 3DS step) - WebviewActivity (link preview WebView) - Components/EmbedBottomSheet (iframe embeds) - Components/PhotoViewerWebView (YouTube and similar embeds) ALWAYS_ALLOW lets an https page in the WebView load every kind of http sub-resource, including remote scripts. The WebSettings javadoc treats it as the strictly less-safe choice. For PaymentFormActivity the WebView renders payment-provider HTML and the 3DS challenge, both of which should refuse http sub-resources over an https origin on principle. Replace with COMPATIBILITY_MODE, which keeps passive sub-resources (images, fonts) loading on https pages while blocking active mixed content like remote scripts. This is how Chrome treats mixed content in the address bar and is the right default for the four embed and preview surfaces. The change is a single-token swap per call site and does not touch any other WebView setting. --- .../src/main/java/org/telegram/ui/ArticleViewer.java | 2 +- .../java/org/telegram/ui/Components/EmbedBottomSheet.java | 2 +- .../java/org/telegram/ui/Components/PhotoViewerWebView.java | 2 +- .../src/main/java/org/telegram/ui/PaymentFormActivity.java | 4 ++-- .../src/main/java/org/telegram/ui/WebviewActivity.java | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/TMessagesProj/src/main/java/org/telegram/ui/ArticleViewer.java b/TMessagesProj/src/main/java/org/telegram/ui/ArticleViewer.java index 1435b2e2658..6f6def7c068 100644 --- a/TMessagesProj/src/main/java/org/telegram/ui/ArticleViewer.java +++ b/TMessagesProj/src/main/java/org/telegram/ui/ArticleViewer.java @@ -8392,7 +8392,7 @@ public ViewGroup getTextureViewContainer() { webView.getSettings().setMediaPlaybackRequiresUserGesture(false); webView.addJavascriptInterface(new TelegramWebviewProxy(), "TelegramWebviewProxy"); - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); diff --git a/TMessagesProj/src/main/java/org/telegram/ui/Components/EmbedBottomSheet.java b/TMessagesProj/src/main/java/org/telegram/ui/Components/EmbedBottomSheet.java index 8dd11ba9294..ba1761d922d 100644 --- a/TMessagesProj/src/main/java/org/telegram/ui/Components/EmbedBottomSheet.java +++ b/TMessagesProj/src/main/java/org/telegram/ui/Components/EmbedBottomSheet.java @@ -343,7 +343,7 @@ public boolean onTouchEvent(MotionEvent event) { } if (Build.VERSION.SDK_INT >= 21) { - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); } diff --git a/TMessagesProj/src/main/java/org/telegram/ui/Components/PhotoViewerWebView.java b/TMessagesProj/src/main/java/org/telegram/ui/Components/PhotoViewerWebView.java index 90153fd1f2c..4aa466d02ab 100644 --- a/TMessagesProj/src/main/java/org/telegram/ui/Components/PhotoViewerWebView.java +++ b/TMessagesProj/src/main/java/org/telegram/ui/Components/PhotoViewerWebView.java @@ -285,7 +285,7 @@ protected void onDetachedFromWindow() { } if (Build.VERSION.SDK_INT >= 21) { - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); } diff --git a/TMessagesProj/src/main/java/org/telegram/ui/PaymentFormActivity.java b/TMessagesProj/src/main/java/org/telegram/ui/PaymentFormActivity.java index 8f0256bf5ee..3b7a74862c3 100644 --- a/TMessagesProj/src/main/java/org/telegram/ui/PaymentFormActivity.java +++ b/TMessagesProj/src/main/java/org/telegram/ui/PaymentFormActivity.java @@ -1206,7 +1206,7 @@ protected void onMeasure(int widthMeasureSpec, int heightMeasureSpec) { webView.getSettings().setUseWideViewPort(true); if (Build.VERSION.SDK_INT >= 21) { - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); } @@ -2472,7 +2472,7 @@ public boolean onTouchEvent(MotionEvent event) { webView.getSettings().setUseWideViewPort(true); if (Build.VERSION.SDK_INT >= 21) { - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); } diff --git a/TMessagesProj/src/main/java/org/telegram/ui/WebviewActivity.java b/TMessagesProj/src/main/java/org/telegram/ui/WebviewActivity.java index adbf3aa5029..1afc45f67b3 100644 --- a/TMessagesProj/src/main/java/org/telegram/ui/WebviewActivity.java +++ b/TMessagesProj/src/main/java/org/telegram/ui/WebviewActivity.java @@ -226,7 +226,7 @@ public void onItemClick(int id) { } if (Build.VERSION.SDK_INT >= 21) { - webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptThirdPartyCookies(webView, true); if (type == TYPE_GAME) {