LoginFragment.setupWebBrowser creates a WebView for the Common Voice sign-in flow and attaches a WebViewClient that only overrides onPageStarted and onPageFinished:
private fun setupWebBrowser() = binding.webViewBrowser.apply {
settings.javaScriptEnabled = true
settings.domStorageEnabled = true
settings.userAgentString = settings.userAgentString.replace("; wv", "")
webViewClient = object : WebViewClient() {
override fun onPageStarted(view: WebView?, url: String?, favicon: Bitmap?) {
showLoading()
}
override fun onPageFinished(view: WebView?, url: String?) {
...
}
}
}Without shouldOverrideUrlLoading the WebView happily follows anything the auth pages or the Common Voice site link to: privacy policy / terms / "contact us" / Discord links / mailto: / tel: / anything Mozilla decides to put in the page later. The user ends up on an unrelated page inside the login WebView, the cookie-check that ultimately sets connect.sid no longer fires, and the only way out is to back out of the screen entirely.
Suggested fix
Override shouldOverrideUrlLoading and keep the WebView pinned to the hosts that actually drive the auth flow (commonvoice.mozilla.org, auth.mozilla.auth0.com, plus the *.mozilla.org / *.auth0.com subdomains the OAuth pages occasionally redirect through). Hand everything else off to the system:
override fun shouldOverrideUrlLoading(
view: WebView?,
request: WebResourceRequest?
): Boolean {
val uri = request?.url ?: return false
val host = uri.host
val isAuthHost = host == "commonvoice.mozilla.org"
|| host == "auth.mozilla.auth0.com"
|| host?.endsWith(".mozilla.org") == true
|| host?.endsWith(".auth0.com") == true
if (isAuthHost && (uri.scheme == "https" || uri.scheme == "http")) {
return false
}
try {
startActivity(Intent(Intent.ACTION_VIEW, uri))
} catch (e: ActivityNotFoundException) {
Timber.w(e, "No activity to handle %s", uri)
}
return true
}The happy path (Common Voice -> Auth0 -> back to Common Voice with the session cookie) is unchanged. A PR is open at #221.
LoginFragment.setupWebBrowser creates a WebView for the Common Voice sign-in flow and attaches a
WebViewClientthat only overridesonPageStartedandonPageFinished:Without
shouldOverrideUrlLoadingthe WebView happily follows anything the auth pages or the Common Voice site link to: privacy policy / terms / "contact us" / Discord links /mailto:/tel:/ anything Mozilla decides to put in the page later. The user ends up on an unrelated page inside the login WebView, the cookie-check that ultimately setsconnect.sidno longer fires, and the only way out is to back out of the screen entirely.Suggested fix
Override
shouldOverrideUrlLoadingand keep the WebView pinned to the hosts that actually drive the auth flow (commonvoice.mozilla.org,auth.mozilla.auth0.com, plus the*.mozilla.org/*.auth0.comsubdomains the OAuth pages occasionally redirect through). Hand everything else off to the system:The happy path (Common Voice -> Auth0 -> back to Common Voice with the session cookie) is unchanged. A PR is open at #221.