Android WebView not loading Mixed Content

taeuk picture taeuk · Aug 22, 2015 · Viewed 25.2k times · Source

I'm trying to make a app with WebView, but the website is using https, but the content (ex. mp3 file) uses http, so Android Lollipop won't load it because it is "Mixed Content". I tried to use onReceivedSslError handler.proceed();, but it doesn't load anything. Is there a way to fix it? or could I just make all websites loaded use http, so It doesn't show any errors?

Answer

user11153 picture user11153 · Sep 30, 2015

Since Pie (API 29), all non-HTTPS traffic in app is now disabled by default.

If you're targeting API level 26 or above, you must first enable it in the manifest file. Add

android:usesCleartextTraffic="true"

into <application> tag.


Since Lollipop (API 21), WebView blocks all mixed content by default.

To change this behaviour, when you are targeting API level 21 or above, use:

webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE);

In this mode, the WebView will attempt to be compatible with the approach of a modern web browser with regard to mixed content. Some insecure content may be allowed to be loaded by a secure origin and other types of content will be blocked. The types of content are allowed or blocked may change release to release and are not explicitly defined.

In practice this should allow loading of images, videos, music etc. - all content that has low probability of being major security threat, when tampered/replaced by malicious third-party.


Alternatively use (strongly discouraged):

webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW);

In this mode, the WebView will allow a secure origin to load content from any other origin, even if that origin is insecure. This is the least secure mode of operation for the WebView, and where possible apps should not set this mode.