shouldOverrideUrlLoading always returns true for HTTP/HTTPS URLs, destroying browsing context (window.opener, Referer, Sec-Fetch-Site) #2791
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
The plugin's Java-side shouldOverrideUrlLoading() always returns true for all URLs (including HTTP/HTTPS) when useShouldOverrideUrlLoading is enabled. This immediately cancels the original navigation. When the Dart side returns NavigationActionPolicy.ALLOW, the allowShouldOverrideUrlLoading() method calls webView.loadUrl(url) to start a completely new navigation that has lost all browsing context:
window.opener becomes null
Referer header is missing
Sec-Fetch-Site becomes none instead of cross-site or same-origin
Sec-Fetch-Dest may change
Any opener–popup JavaScript relationship is severed
This breaks real-world payment flows (e.g., PAYCO, Kakao Pay) that rely on window.opener to communicate between popup and parent windows.
Expected Behavior
When useShouldOverrideUrlLoading is enabled and the Dart callback returns NavigationActionPolicy.ALLOW for an HTTP/HTTPS URL, the navigation should proceed as if the plugin never intercepted it — preserving the original browsing context including window.opener, Referer header, and Sec-Fetch-Site header.
This is consistent with how native Android apps handle shouldOverrideUrlLoading: return false for HTTP/HTTPS URLs to let the WebView engine process them natively.
Steps with code example to reproduce
Details
//In both InAppWebViewClient.java (line 93/112) and InAppWebViewClientCompat.java (line 101/124): // InAppWebViewClient.java — shouldOverrideUrlLoading (API 21+) @OverRide public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) { InAppWebView webView = (InAppWebView) view; if (webView.customSettings.useShouldOverrideUrlLoading) { onShouldOverrideUrlLoading(webView, ...); // ... return true; // <-- ALWAYS true, even for http/https } return false; }Stacktrace/Logs
Details
Before navigation in popup — opener exists D/PopupWebView: opener check: {"url":"https://example.com/popup","openerType":"object","openerIsNull":false,"openerValue":"[object Window]"}// shouldOverrideUrlLoading fires for an HTTP navigation
D/PopupWebView: shouldOverrideUrlLoading called: https://payment-gateway.com/checkout
// After navigation completes (loadUrl was called internally) — opener is gone
D/PopupWebView: opener check: {"url":"https://payment-gateway.com/checkout","openerType":"object","openerIsNull":true,"openerValue":"null"}
</details>
### Flutter version
flutter_inappwebview: 6.1.5 flutter_inappwebview_android: 1.1.3
### Operating System, Device-specific and/or Tool
Android inappwebview Even returning ALLOW for http/https causes the issue
makes me shouldOverrideUrlLoading Options like android native
InAppWebView(
initialUrlRequest: URLRequest(url: WebUri('https://example.com/parent')),
initialSettings: InAppWebViewSettings(
javaScriptEnabled: true,
javaScriptCanOpenWindowsAutomatically: true,
supportMultipleWindows: true,
useShouldOverrideUrlLoading: true, // <-- this triggers the bug
),
shouldOverrideUrlLoading: (controller, navigationAction) async {
// Even returning ALLOW for http/https causes the issue
return NavigationActionPolicy.ALLOW;
},
onCreateWindow: (controller, createWindowAction) async {
// Open popup with windowId to preserve opener relationship
Navigator.push(context, MaterialPageRoute(
builder: (context) => Scaffold(
body: InAppWebView(
windowId: createWindowAction.windowId,
initialSettings: InAppWebViewSettings(
javaScriptEnabled: true,
useShouldOverrideUrlLoading: true,
),
shouldOverrideUrlLoading: (controller, navigationAction) async {
return NavigationActionPolicy.ALLOW;
},
),
),
));
return true;
},
);
// android native return shouldOverridUrlLoading as boolean.
override fun shouldOverrideUrlLoading(
view: WebView?,
request: WebResourceRequest?
): Boolean {
}
### Plugin version
flutter_inappwebview: 6.1.5 flutter_inappwebview_android: 1.1.3
### Additional information
_No response_
### Self grab
- [x] I'm ready to work on this issue!