Kitkat 杀死：不允许加载本地资源：file:///android_asset/webkit/android-weberror.png

Question

I have an app that uses WebViews. I've changed my targetAPI from 18 to 19 and I'm currently testing on the new 4.4. For some reason I'm getting this error: Not allowed to load local resource: file:///android_asset/webkit/android-weberror.png on 4.4 but not on 4.3, does somebody have clue why?

Since I don't really know where to start looking I can't give the complete code. It might have something to do with the shouldInterceptRequest(Webview, String) method in the WebViewClient but I'm not really sure. If I know more, I'll update the question.

Answer 1

A bit of an intrusive hack, but I worked around this issue by introducing a "unique token" and implementing the WebViewClient with a shouldInterceptRequest override.

First, change the URL from file:///android/asset to a relative path with a uniquely identifying token:

<script src="**injection**www/scripts.js"></script>

Then, override shouldInterceptRequest as follows:

// Injection token as specified in HTML source
private static final String INJECTION_TOKEN = "**injection**";

webView.setWebViewClient(new WebViewClient() {

    @Override
    public WebResourceResponse shouldInterceptRequest(WebView view, String url) {
        WebResourceResponse response = super.shouldInterceptRequest(view, url);
        if(url != null && url.contains(INJECTION_TOKEN)) {
            String assetPath = url.substring(url.indexOf(INJECTION_TOKEN) + INJECTION_TOKEN.length(), url.length());
            try {
                response = new WebResourceResponse(
                        "application/javascript",
                        "UTF8",
                        getContext().getAssets().open(assetPath)
                );
            } catch (IOException e) {
                e.printStackTrace(); // Failed to load asset file
            }
        }
        return response;
    }
});

This is likely to degrade WebView performance slightly as we are calling the contains() on each resource which is attempted to be loaded, but it's the only workaround I've found to this issue.

Answer 2

I found that I had this problem on KitKat when I used webview.loadData() . If I instead used webview.loadDataWithBaseURL() (I used "file:///android_asset/" as the baseURL), then the problem went away.

The methods setAllowFileAccess() , setAllowFileAccessFromFileURLs() , and setAllowUniversalAccessFromFileURLs() did not have any affect that I could see.

Answer 3

"Not allowed to load local resource" is a security origin error. The KitKat WebView has stronger security restrictions and it seems like these are kicking in. FWIW I tried just loading a file:///android_asset URL and it worked fine.

Did you call any of the file-related WebSettings APIs (like setAllowFileAccess(false)) by any chance? Are you trying to load the resource from an https: URL?

Answer 4

HERE IS THE SOLUTION: This problem occurs when you try to load a file from library projects. If your app depends on a library where webview and html files reside, then you need include assets from that library project into main application project while compiling. For example, IntelliJ has an option to do this. In the compiler settings "Include assets from dependencies into APK", but make sure that your asset files should have different names than main application has. You don't want library project's index.html to be overridden by main app.

Answer 5

It may be needed to add a permission

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />

to a manifest.

This permission is enforced starting in API level 19.

Answer 6

The solution below works for me.

webview.loadDataWithBaseURL( baseUrl, htmlStr, "text/html", "UTF-8", "");

where baseUrl is your external domain, not file:///android_asset/ (ie http://a.domain.com ).

Answer 7

Not available at the time, this now works (though it's not recommended):

webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW);

Here's what the doc says about setMixedContentMode:

Configures the WebView's behavior when a secure origin attempts to load a resource from an insecure origin. By default, apps that target KITKAT or below default to MIXED_CONTENT_ALWAYS_ALLOW. Apps targeting LOLLIPOP default to MIXED_CONTENT_NEVER_ALLOW. The preferred and most secure mode of operation for the WebView is MIXED_CONTENT_NEVER_ALLOW and use of MIXED_CONTENT_ALWAYS_ALLOW is strongly discouraged.

However, this might not answer the original question; it looks like the restriction only started with Lollipop.

Answer 8

I've found a nice workaround in this link : http://trentmilton.com/android-webview.html

A summary of the solution is something like:

WebView webView = new WebView(this); // this is the context
webView.getSettings().setDomStorageEnabled(true);

Hope that helps

Answer 9

The proper way to handle this is by using WebViewAssetLoader from AndroidX (the successor to the Android Support Library). This class makes it possible for any page element to make use of asset files.

You can add the library to your project by adding this line to your app's build.gradle :

implementation 'androidx.webkit:webkit:1.5.0'

Create an instance of WebViewAssetLoader and point it to the asset path you wish to expose to the WebView:

val assetLoader = WebViewAssetLoader.Builder()
    .addPathHandler("/some/path/", AssetsPathHandler(context))
    .build()

Then override WebViewClient.shouldInterceptRequest() :

webView.webViewClient = object : WebViewClient() {
    override fun shouldInterceptRequest(
        view: WebView,
        request: WebResourceRequest
    ): WebResourceResponse? {
        return assetLoader.shouldInterceptRequest(request.url)
    }
}

Now, instead of file:///android_asset/... , your URLs become:

https://appassets.androidplatform.net/...