Skip to content

Add flighted validation in WebView intent handling#3170

Open
cacosta33 wants to merge 4 commits into
devfrom
cesaracosta/webview-intent-validation
Open

Add flighted validation in WebView intent handling#3170
cacosta33 wants to merge 4 commits into
devfrom
cesaracosta/webview-intent-validation

Conversation

@cacosta33

Copy link
Copy Markdown
Contributor

Summary

Adds a flight-gated validation step to the AAD WebView client's broker-install intent:// handling path. When the flight is enabled, the parsed intent's component/selector are cleared and its target package must be the Google Play Store before the activity is launched. When the flight is disabled, behavior is byte-for-byte identical to today (kill-switch / rollback).

Work item: https://dev.azure.com/IdentityDivision/Engineering/_workitems/edit/3674205

Feature flag & rollout

  • Gated behind a new ECS flight EnableBrokerInstallIntentValidation (CommonFlight), default OFF.
  • Flight OFF means the legacy launch path runs unchanged, so a field regression is a config flip, not a redeploy.
  • common ships to broker + MSAL + downstream consumers, so this is intended to ramp progressively (e.g. 1% then 10% then 100%) while watching install-flow success telemetry.

Changes

  • CommonFlight.java — new ENABLE_BROKER_INSTALL_INTENT_VALIDATION flight (default false).
  • AzureActiveDirectoryWebViewClient.java — inside the flighted branch only: clear any explicit component/selector on the parsed intent and require the resolved package to be on the allow-list (com.android.vending) before startActivity.
  • Tests — added coverage for: non-allow-listed package is not launched; an explicit component is cleared (Play Store still launches); legacy behavior preserved when the flight is off; and a fixed pre-existing test that was missing @Test (so it never ran).

Validation

:common:testLocalDebugUnitTest for the affected client passed (BUILD SUCCESSFUL), all tests pass (4 intent-path tests confirmed executing).

Do not close the linked work item until confirmed

A couple of points cannot be verified from this library's code alone and may affect priority — please confirm before resolving the linked item (the code hardening here is safe to merge/ramp regardless):

  • Whether externally-influenced content can reach this navigation path inside the hosting auth WebView.
  • Real-device behavior of the previously-broader launch path.

Notes for reviewers

  • No behavioral change for any consumer while the flight is OFF (default).
  • Does not touch OneAuthSharedFunctions or any 1P IPC surface.

Introduces a flight-gated validation step in the AAD WebView client's
intent handling path. Default on; the flight provides a rollback path.

Work item: https://dev.azure.com/IdentityDivision/Engineering/_workitems/edit/3674205

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@cacosta33 cacosta33 marked this pull request as ready for review July 2, 2026 16:10
@cacosta33 cacosta33 requested a review from a team as a code owner July 2, 2026 16:10
Copilot AI review requested due to automatic review settings July 2, 2026 16:10

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a flight-gated hardening step to the AAD WebView client’s broker-install intent:// handling so that (when enabled) only Google Play Store intents are launched, while preserving legacy behavior when the flight is disabled.

Changes:

  • Added a new ECS-controlled flight ENABLE_BROKER_INSTALL_INTENT_VALIDATION (default OFF).
  • In the intent:// broker-install handling path (flight ON only): clear explicit component/selector and block non-Play-Store target packages before launching.
  • Expanded unit test coverage for allow-list enforcement, component clearing, and legacy behavior; fixed a previously non-executing test by adding @Test.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java Adds the new flight definition (default OFF) to gate the new validation logic.
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java Implements the flighted post-parse validation (clear component/selector + allow-list com.android.vending) before startActivity.
common/src/test/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClientTest.java Adds/updates intent-path tests to validate allow-list behavior, component clearing, and rollback behavior when flight is OFF.

Comment on lines +595 to 602
private void setBrokerInstallIntentValidationFlight(final boolean enabled) {
final IFlightsProvider mockFlightsProvider = Mockito.mock(IFlightsProvider.class);
when(mockFlightsProvider.isFlightEnabled(CommonFlight.ENABLE_BROKER_INSTALL_INTENT_VALIDATION))
.thenReturn(enabled);
final MockCommonFlightsManager mockCommonFlightsManager = new MockCommonFlightsManager();
mockCommonFlightsManager.setMockCommonFlightsProvider(mockFlightsProvider);
CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(mockCommonFlightsManager);
}
…idation

Emits an OpenTelemetry span only when ENABLE_BROKER_INSTALL_INTENT_VALIDATION is on so the fix outcome (launched / blocked / error) can be confirmed in telemetry. Zero behavior change while the flight is off; all span usage is null-guarded. Adds one attribute (is_broker_install_intent_blocked) and a changelog entry. AB#3674205

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@cacosta33 cacosta33 requested a review from a team as a code owner July 2, 2026 19:22
Cesar Acosta and others added 2 commits July 2, 2026 15:35
Restructure processIntentToInstallBrokerApp so the flight-off path is the
original method (unchanged), and all validation + telemetry lives inside the
flight-on branch with a single generic catch(Throwable). This removes the
scattered null-guards and keeps zero behavior/telemetry impact when the flight
is off.

AB#3674205

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolve conflicts in changelog.txt, AzureActiveDirectoryWebViewClient.java,
and AzureActiveDirectoryWebViewClientTest.java. Keep the flight-off path
byte-for-byte identical to dev, preserve dev's onboarding telemetry hook
(recordOnboardingStep before the flight check), and retain the flight-gated
broker-install intent validation + span from PR #3170.

AB#3674205

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants