Javascript redirect not working in Edge browser when opened with android ActionView intent, but working after manual reload

Question

Situation

In our Android app (Xamarin), we open a web page using an ActionView intent. The code looks like this:

Intent intent = new Intent((string)Intent.ActionView, Android.Net.Uri.Parse(args.url));           
           
intent.AddFlags(ActivityFlags.NewTask);

The opened page at some point does a JS redirect, with a line like this:

window.location = '...';

We tried many different variations of that line, including window.location.href = '...', window.location.assign('...'); and some more. All show the same behavior.

Problem

This has worked fine for years now, in all browsers - but now we ran into a problem, when the browser on the android device is the Edge browser:

When the browser tab is initially opened by the intent, the window.location = '...' line in Javascript is just ignored by the browser. No error message - just ignored.

However, if that same browser tab with exactly the same URL is opened manually (either by reloading or by copying and pasting the URL), the JS redirect is executed just fine.

Question

How do we fix this, how do we make the JS redirect reliably work?

My guess is that we are running into a security feature, which prevents JS redirects in browser tabs that the user has never interacted with.

Is there something (maybe an intent flag?) to circumvent this? We already tried the flag GrantWriteUriPermission, but it did not help.

Possible duplicates

Android Browser Facebook Redirect Does Not Always Trigger Intent for URL :
The proposed situation of setting the URL on a link and faking a click on it did not work.

Answer 1

Microsoft Edge security

Microsoft Edge recently fixed an issue regarding XSS Targeting Non-Script Elements (June 24, 2021).

The vulnerability was found by two researcher when they visited a website in another language via the Microsoft Edge browser and attempted to translate the page. The goal of the recent fix by Microsoft is to avoid vulnerability regarding accessing dynamically to a content from a third party application and specifically in the case of browser redirection. They need to act quickly because the vulnerability is quite huge.

In order to mitigate a large class of potential cross-site scripting issues, the Microsoft Edge Extension system has incorporated the general concept of Content Security Policy (CSP)

Ok, but ... is there any solution?

Maybe you can find a solution to solve your issue here, in particular the part concerning the <button onclick="...">.

Inline code is considered harmful in concept of CSP and microsoft recommend some good practices :

1 - The clickHandler definition must be moved into an external JavaScript

2 - The inline event handler definitions must be rewritten in terms of addEventListener and extracted into your external js file. If you are currently starting your program using code like <body onload="main();">, consider replacing it by hooking into the DOMContentLoaded event of the document, or the load event of the window, depending on your requirements. Use the former, since it generally triggers more quickly.

3 - Function inside onclick call must be rewritten to avoid converting the string of function into JavaScript for running.

The code exemple of the external .js file cited in the documentation look like this :

function awesome() {
// Do something awesome!
}

function totallyAwesome() {
// do something TOTALLY awesome!
}

function awesomeTask() {
    awesome();
    totallyAwesome();
}

function clickHandler(e) {
    setTimeout(awesomeTask, 1000);
}

function main() {
    // Initialization work goes here.
}

// Add event listeners once the DOM has fully loaded by listening for the
// `DOMContentLoaded` event on the document, and adding your listeners to
// specific elements when it triggers.
document.addEventListener('DOMContentLoaded', function () {
    document.querySelector('button').addEventListener('click', 
clickHandler);
    main();
});

Hope it's helps