fix: Use media directory as the base url of the CardViewers

[BrayanDSO]

Purpose / Description

Loading files with file:/ scheme in much faster in an Android Webview, and that's what 2.15.6 did by setting the Webview base url to the media directory.

But in 2.16/2.17, in order to enable POST requests to be done, the base url was set to localhost and the files were delivered by the server. After noticing that loading files was slower with the server, a WebViewAssetLoader was used, but it was still slower than file:/. The next alternative was parsing the card's HTML to use file:/ for media sources, but that leads to CORS issues and sometimes HTML parsing issues.

So, here's what I believe that should be the definitive solution, which is to remap POST requests base url, so the Webview base url can be set to the media directory so the 2.15.6 behavior is restored.

Fixes

• Fixes [BUG]: Cloze cards showing 'data-ordinal="1"' when using latex and images #16139
• Fixes [BUG]: localStorage does not seem to be persistent in version 2.17.5 #15911

Approach

In the commits

How Has This Been Tested?

Emulator 34:

Tested by adding console.log("foo"); into Custom scheduling deck option then seeing if it appeared in Logcat

Also checked if media, specially videos and audios, were properly loaded

Checklist

Please, go through these checks before submitting the PR.

• You have a descriptive commit message with a short title (first line, max 50 chars).
• You have commented your code, particularly in hard-to-understand areas
• You have performed a self-review of your own code
• UI changes: include screenshots of all affected screens (in particular showing any new or changed strings)
• UI Changes: You have tested your change using the Google Accessibility Scanner

[mikehardy]

Should be good to go now

[david-allison]

[security] Is it feasible to limit this so other apps on-device can't reasonably access the server?

[BrayanDSO]

Tried it once but it didn't work immediately. Since my timeblock was gone and this was the same of what 2.16 did, I left it as is.

https://github.com/ankidroid/Anki-Android/blob/release-2.16/AnkiDroid/src/main/java/com/ichi2/anki/AbstractFlashcardViewer.kt#L586

[david-allison]

Do you feel we should block this PR on this?

• Historically, collection.media + collection.anki2 were publicly accessible.
  • After 2.16 & scoped storage, we should lock it down so it matches expectations
  • We don't want to be listed on the next article in this series: https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/

If we have MANAGE_EXTERNAL_STORAGE, we must not allow access to files outside collection.media, and I would block on this

[david-allison]

I've extracted this to: #16230

[BrayanDSO]

Took a look and since the Reviewer now uses file:/// as base url, origin is null so only * can be used as the value of Access-Control-Allow-Origin.

On a quick assessment, only POST requests are allowed. In the reviewer only getSchedulingStatesWithContext and setSchedulingStates are enabled. So, I don't see any danger right now. Card templates and deck options' custom scheduling already can use those methods but aren't considered a security vulnerability

[mikehardy]

let's do this - thanks @BrayanDSO (and David)