diff --git a/Android/app/src/main/java/com/archipelago/app/ui/screens/WebViewScreen.kt b/Android/app/src/main/java/com/archipelago/app/ui/screens/WebViewScreen.kt index 54bcb02a..23cbc5a3 100644 --- a/Android/app/src/main/java/com/archipelago/app/ui/screens/WebViewScreen.kt +++ b/Android/app/src/main/java/com/archipelago/app/ui/screens/WebViewScreen.kt @@ -323,6 +323,26 @@ fun WebViewScreen( } } + // Node apps (e.g. NetBird) terminate TLS with a + // self-signed cert — the dashboard needs a secure + // context for OIDC/window.crypto.subtle (#15). The + // WebView default is to CANCEL untrusted certs, so + // those apps render blank. The user explicitly trusts + // their own node, so proceed for same-host certs only; + // reject anything else (don't blanket-trust the web). + override fun onReceivedSslError( + view: WebView?, + handler: android.webkit.SslErrorHandler?, + error: android.net.http.SslError?, + ) { + val u = error?.url + if (u != null && isSameHost(u, serverUrl)) { + handler?.proceed() + } else { + handler?.cancel() + } + } + override fun shouldOverrideUrlLoading( view: WebView?, request: WebResourceRequest?, @@ -553,6 +573,23 @@ private fun InAppBrowser( canGoForward = view?.canGoForward() == true } + // Self-signed TLS on the node's apps (e.g. NetBird on + // :8087) would otherwise be cancelled by the WebView + // and render blank. Proceed for the user's own node + // (same host); reject any other untrusted cert. + override fun onReceivedSslError( + view: WebView?, + handler: android.webkit.SslErrorHandler?, + error: android.net.http.SslError?, + ) { + val u = error?.url + if (u != null && isSameHost(u, serverUrl)) { + handler?.proceed() + } else { + handler?.cancel() + } + } + override fun shouldOverrideUrlLoading( view: WebView?, request: WebResourceRequest?,