Short circuit the postback request to avoid the google 413 error after payment

[jim-daf]

Avoid the google 413 page after a successful payment

Resolves #40

The default postback URL in the library is https://www.google.com. After
the user confirms the payment the ACS server posts the result form back to
that URL. The form is big enough that google answers with HTTP 413 and the
WebView paints google's error page for a moment before the activity is
torn down. End users see this as a confusing error after a successful
payment.

By the time shouldInterceptRequest runs for the postback URL we already
have everything we need from the form. The actual network request is
pointless and is the only thing producing the 413. The fix is to return an
empty document for that one request so it never leaves the device.

if (isPostbackUrl(url)) {
    Thread.sleep(1500);
    return new WebResourceResponse("text/html", "UTF-8", new ByteArrayInputStream(new byte[0]));
}

Why this is safe

The postback URL is by definition a sentinel. The library does not need
anything from its response. Callers that pass their own postback URL keep
the same behaviour because the short circuit only kicks in for URLs that
match isPostbackUrl, and the response body returned is empty rather than
a redirect or error page.

Testing

Reproduced the 413 against the default postback URL with a 3D Secure
sandbox transaction. With the patch applied the WebView quietly resolves
the postback and the listener fires without any visible error page.

[Copilot]

Pull request overview

This PR aims to prevent a brief Google “HTTP 413 request too large” error page flash after a successful 3DS payment by short-circuiting the default postback navigation in WebViewClient.shouldInterceptRequest, returning an empty document instead of allowing the POST to reach a real host.

Changes:

• Return an empty WebResourceResponse for requests identified as the postback URL to avoid the network request (and resulting 413).
• Add ByteArrayInputStream import to support the empty response body.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

shouldInterceptRequest(WebView, String) is deprecated and may not be invoked on API 21+ (WebView prefers shouldInterceptRequest(WebView, WebResourceRequest)). If that happens, the postback short-circuit won’t run on most modern devices, so the 413 flash can remain. Consider overriding the WebResourceRequest variant as well and delegating to shared logic so the behavior is consistent across API levels.

[Copilot]

This change short-circuits all requests that match isPostbackUrl(url), but postbackUrl can be provided by callers (see authorize(..., postbackUrl)). That means ACS POSTs will no longer reach a caller-provided postback endpoint, which is a behavioral/API change compared to returning null and letting the request proceed. If the intent is only to avoid the default google.com 413, consider gating the empty response to the library’s default postback URL (or making this behavior explicitly opt-in).

[Copilot]

The InterruptedException is swallowed. Since shouldInterceptRequest runs on a worker thread, clearing the interrupt can interfere with cancellation/shutdown logic. Consider restoring the interrupted status (e.g., Thread.currentThread().interrupt()) before returning.

Suggested change

	// Ignore
	Thread.currentThread().interrupt();