Android Iframe SameOrigin on custom sites

Don’t think you can do that. Since Chromium doesn’t see Allow-From as feature[1] and Android relies heavily on Chromium’s frameworks for WebViews.

I’m guessing your requirements are to block browser based click jackings?

Since you can’t use Allow-From. You may want to think about an approach similar to that outlined in this BlackHat talk[2], UI Redressing Attacks on Android Devices. I’d recommend reading the entire pdf really interesting stuff.

Check out Chapter 5 MITIGATION TECHNIQUES, Section 1 Browser-Based UI Redressing.

<styleid=”antiClickjack”>    body{display:none!important;}</style><scripttype=”text/javascript”>    if(self===top){        varantiClickjack=document.        getElementById(”antiClickjack”);        antiClickjack.parentNode.removeChild(antiClickjack);    }else{        top.location=self.location;    }</script>

[1] https://code.google.com/p/chromium/issues/detail?id=129139#c20
[2] https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

The WebView has a loadDataWithBaseURL() method. You could read in your file, and pass that through with whatever origin you need as the base url.

public void loadDataWithBaseURL(String baseUrl,                                String data,                                String mimeType,                                String encoding,                                String historyUrl)

Loads the given data into this WebView, using baseUrl as the base URL for the content. The base URL is used both to resolve relative URLs and when applying JavaScript's same origin policy.