When an Android device connects to a network, it checks a specific URL (connectivitycheck.gstatic.com/generate_204). If the response is 204, it won't trigger anything, but if it receives something else (like 302), it will open that page inside a sandboxed webview and follow the "Location" header if it is present.
I used dnsmasq to spoof that URL and return the required response code. To my surprise, it actually worked, but only then did I discover that captive portals are sandboxed by default. The whole website is working as it should, with the only missing feature being that I can't select any type of files.
I'm curious if anyone here has ever experimented with captive portals before. Is there any way to open the user's browser? I feel like I might lose the user interest if I prompt them with a url to open in their browser.