Uses canonical web domain when validating DAL.
Test: manual verification
Bug: 66900717
Change-Id: Id90d758c59d7997747af8a4ddc4b501e29e44704
diff --git a/input/autofill/AutofillFramework/Application/src/main/java/com/example/android/autofillframework/multidatasetservice/SecurityHelper.java b/input/autofill/AutofillFramework/Application/src/main/java/com/example/android/autofillframework/multidatasetservice/SecurityHelper.java
index 3d13b6d..795d369 100644
--- a/input/autofill/AutofillFramework/Application/src/main/java/com/example/android/autofillframework/multidatasetservice/SecurityHelper.java
+++ b/input/autofill/AutofillFramework/Application/src/main/java/com/example/android/autofillframework/multidatasetservice/SecurityHelper.java
@@ -22,6 +22,8 @@
import android.os.AsyncTask;
import android.util.Log;
+import com.google.common.net.InternetDomainName;
+
import org.json.JSONObject;
import java.io.BufferedReader;
@@ -115,17 +117,25 @@
return isValid;
}
+ public static String getCanonicalDomain(String domain) {
+ InternetDomainName idn = InternetDomainName.from(domain);
+ while (idn != null && !idn.isTopPrivateDomain()) {
+ idn = idn.parent();
+ }
+ return idn == null ? null : idn.toString();
+ }
public static boolean isValid(String webDomain, String packageName, String fingerprint) {
- if (DEBUG) Log.d(TAG, "validating domain " + webDomain + " for pkg " + packageName
- + " and fingerprint " + fingerprint );
+ String canonicalDomain = getCanonicalDomain(webDomain);
+ if (DEBUG) Log.d(TAG, "validating domain " + canonicalDomain + " (" + webDomain
+ + ") for pkg " + packageName + " and fingerprint " + fingerprint );
final String fullDomain;
if (!webDomain.startsWith("http:") && !webDomain.startsWith("https:") ) {
// Unfortunately AssistStructure.ViewNode does not tell what the domain is, so let's
// assume it's https
- fullDomain = "https://" + webDomain;
+ fullDomain = "https://" + canonicalDomain;
} else {
- fullDomain = webDomain;
+ fullDomain = canonicalDomain;
}
// TODO: use the DAL Java API or a better REST alternative like Volley