1

I would like to know if this code is secure to validate that a url is from my domain before loading it a webview in android : 

if (!url.startsWith("https://www.example.com/test/")){
   // don't load the url
   dontload = true;
}

It looks secure but do you know if there is any way to bypass it ? Maybe with URL encoding ?

I use this code in onPreExecute to set the boolean that is checked before loading the url.

I get the url from url = getIntent().getDataString()

Improve this question

1 Answer 1

Reset to default
0

Such check is safe.

A similar check might be error prone. For instance, if you used 

url.startsWith("https://www.example.com")

it could give an unexpected result, if you had a URL like

https://[email protected]

The part before @ would be interpreted as a user+password. But it user+password cannot contain unescaped /. The URL you test includes / (...com/...), thus your against such attacks.

I don't see any weaknesses in your check.

Improve this answer
1
  • Thank you, I was thinking that too but just wanted to be sure ! Thanks !
    – Neolex
    Commented Jun 8, 2020 at 10:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .