Android WebView blocks redirect from https to http

Question

I have a solution where my Android WebView needs to first open a https url, then it will be redirected to a http url (it might be trying a http POST from the https site). This is not working, and my Android debug log says:

02-20 11:04:45.079 8538-8538/? E/WebViewCallback﹕ Blocked URL: [blocked] The page at 'https://xxx/' was loaded over HTTPS, but is submitting data to an insecure location at 'http://yyy': this content should also be submitted over HTTPS.

Are there any configuration options in the WebView that will allow this behaviour?

More info: it seems like a behaviour change in the Android SDK. A client compiled a long time ago does this without any complaints.

Answer 1

Its worked for me

 AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.webView.getContext());
  AlertDialog alertDialog = builder.create();
  String message = "Certificate error.";
  switch (error.getPrimaryError()) {
     case SslError.SSL_UNTRUSTED:
        message = "The certificate authority is not trusted.";
        break;
     case SslError.SSL_EXPIRED:
        message = "The certificate has expired.";
        break;
     case SslError.SSL_IDMISMATCH:
        message = "The certificate Hostname mismatch.";
        break;
     case SslError.SSL_NOTYETVALID:
        message = "The certificate is not yet valid.";
        break;
  }
  message += " Do you want to continue anyway?";
  alertDialog.setTitle("SSL Certificate Error");
  alertDialog.setMessage(message);
  alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() {

     public void onClick(DialogInterface dialog, int which) {
        Log.d("CHECK", "Button ok pressed");
        // Ignore SSL certificate errors
        handler.proceed();
     }
  });
  alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() {

     public void onClick(DialogInterface dialog, int which) {
        Log.d("CHECK", "Button cancel pressed");
        handler.cancel();
     }
  });
  alertDialog.show();

Answer 2

There was a change in default WebView settings for mixed http/https content in Lollipop (API 20). See https://datatheorem.github.io/android/2014/12/20/webviews-andorid-lollipop/ for more details.

To allow https to redirect to http you need to set the mixed content mode to MIXED_CONTENT_ALWAYS_ALLOW

 if (Build.VERSION.SDK_INT >= 21) {
        webview.getSettings().setMixedContentMode( WebSettings.MIXED_CONTENT_ALWAYS_ALLOW );
    }

Note that setting MIXED_CONTENT_ALWAYS_ALLOW is bad from security point of view, and as you note in your answer, it is better to support https on both sites.

But for those that don't have control over the sites, this should work.

Answer 3

From my research I don't think it is possible to disable this feature. I will support https in both sites instead. Safest anyway.

Answer 4

You can ignore ssl error by overriding onReceivedSslError() method.

@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
    handler.proceed(); // Ignore SSL certificate errors
}

Hope it will be work for you.