Read the bare minimum of data from the WebAPK launch intent.

chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.chrome.browser.webapps;
 
 import android.app.Activity;
 import android.content.Intent;
 import android.net.Uri;
 import android.os.Build;
@@ skipping 45 matching lines @@
         if (webappInfo == null) return;
 
         String webappUrl = webappInfo.uri().toString();
         String webApkPackageName = webappInfo.webApkPackageName();
         int webappSource = webappInfo.source();
         String webappMac = IntentUtils.safeGetStringExtra(intent, ShortcutHelper.EXTRA_MAC);
 
         ChromeWebApkHost.init();
         boolean isValidWebApk = isValidWebApk(webApkPackageName, webappUrl);
 
+        if (isValidWebApk) {
+            // {@link #isValidWebApk} checks whether the start URL sent in the intent is in the
+            // scope of a WebAPK but it does not check that the intent was sent from Chrome. Unlike
+            // non-WebAPK web apps, WebAPK ids are predictable. A malicious actor may send an intent
+            // with a valid start URL and arbitrary other data. Only use the start URL, the package
+            // name and the ShortcutSource from the launch intent and extract the remaining data
+            // from the <meta-data> in the WebAPK's Android manifest.
+            webappInfo = WebApkMetaDataUtils.extractWebappInfoFromWebApk(
+                    webApkPackageName, webappUrl, webappInfo.source());
+
+            if (webappInfo == null) return;
+        }
+
         // Permit the launch to a standalone web app frame if any of the following are true:
         // - the request was for a WebAPK that is valid;
         // - the MAC is present and valid for the homescreen shortcut to be opened;
         // - the intent was sent by Chrome.
         if (isValidWebApk || isValidMacForUrl(webappUrl, webappMac)

[dominickn, 2016/10/11 05:54:52]

Make this if clause an else clause of the above if statement:

else if (!isValidMacForUrl(webappUrl, webappMac) &&
            !wasIntentFromChrome(intent)) {
  Log.E(TAG, "Shortcut opened in Chrome");
  // Other stuff from lines 93 - 101
  return;
}

// Lines 85 - 87 here.

That makes this a little tidier I think.

[pkotwicz, 2016/10/12 05:05:47]

I don't understand. If the WebAPK is valid, this if() statement is also run. The
single line if on line 76 is deceiving

[dominickn, 2016/10/12 05:26:48]

I wrote out what I was suggesting, and it actually doesn't end up that much
cleaner (logged here for completeness). Feel free to ignore.

        if (isValidWebApk) {
            // {@link #isValidWebApk} checks whether the start URL sent in the
intent is in the
            // scope of a WebAPK but it does not check that the intent was sent
from Chrome. Unlike
            // non-WebAPK web apps, WebAPK ids are predictable. A malicious
actor may send an intent
            // with a valid start URL and arbitrary other data. Only use the
start URL, the package
            // name and the ShortcutSource from the launch intent and extract
the remaining data
            // from the <meta-data> in the WebAPK's Android manifest.
            webappInfo = WebApkMetaDataUtils.extractWebappInfoFromWebApk(
                    webApkPackageName, webappUrl, webappInfo.source());

            if (webappInfo == null) return;
        } else if (!isValidMacForUrl(webappUrl,
                           IntentUtils.safeGetStringExtra(intent,
ShortcutHelper.EXTRA_MAC))
                && !wasIntentFromChrome(intent)) {
            Log.e(TAG, "Shortcut (%s) opened in Chrome.", webappUrl);

            // The shortcut data doesn't match the current encoding.  Change the
intent action
            // launch the URL with a VIEW Intent in the regular browser.
            launchIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(webappUrl));
            launchIntent.setClassName(getPackageName(),
ChromeLauncherActivity.class.getName());
           
launchIntent.putExtra(ShortcutHelper.REUSE_URL_MATCHING_TAB_ELSE_NEW_TAB, true);
            launchIntent.putExtra(ShortcutHelper.EXTRA_SOURCE, webappSource);
            launchIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK
                    | ApiCompatibilityUtils.getActivityNewDocumentFlag());

            startActivity(launchIntent);
            ApiCompatibilityUtils.finishAndRemoveTask(this);
            return;
        }

        LaunchMetrics.recordHomeScreenLaunchIntoStandaloneActivity(webappUrl,
webappSource);
        launchIntent = createWebappLaunchIntent(webappInfo, webappSource,
isValidWebApk);

        startActivity(launchIntent);
        ApiCompatibilityUtils.finishAndRemoveTask(this);
    }

[pkotwicz, 2016/10/12 18:52:57]

Ok, I see your suggestion now. I agree that it is not a lot cleaner.

                 || wasIntentFromChrome(intent)) {
             LaunchMetrics.recordHomeScreenLaunchIntoStandaloneActivity(webappUrl, webappSource);
             Intent launchIntent = createWebappLaunchIntent(webappInfo, webappSource, isValidWebApk);
             startActivity(launchIntent);
             return;
         }
 
         Log.e(TAG, "Shortcut (%s) opened in Chrome.", webappUrl);
 
         // The shortcut data doesn't match the current encoding. Change the intent action to
@@ skipping 109 matching lines @@
         if (webApkPackage == null || !ChromeWebApkHost.isEnabled()) {
             return false;
         }
         if (!webApkPackage.equals(WebApkValidator.queryWebApkPackage(this, url))) {
             Log.d(TAG, "%s is not within scope of %s WebAPK", url, webApkPackage);
             return false;
         }
         return true;
     }
 }