-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathAndroidWebViewSettingsFileAccess.qhelp
More file actions
45 lines (36 loc) · 1.51 KB
/
AndroidWebViewSettingsFileAccess.qhelp
File metadata and controls
45 lines (36 loc) · 1.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
File access in an Android WebView can expose the device's file system to
the JavaScript running in the WebView. If there are vulnerabilities in the
JavaScript or untrusted content is loaded in the WebView, file access may
allow an attacker to access or steal the user's data.
</p>
</overview>
<recommendation>
<p>When possible, you should disallow file access by setting the following settings to <code>false</code>:</p>
<ul>
<li><code>setAllowFileAccess</code></li>
<li><code>setAllowFileAccessFromFileURLs</code></li>
<li><code>setAllowUniversalAccessFromFileURLs</code></li>
</ul>
</recommendation>
<example>
<p>In the following (bad) example, the WebView is configured with the settings
which would allow local file access.</p>
<sample src="WebViewFileAccessUnsafe.java"/>
<p>In the following (good) example, the WebView is configured to disallow file access.</p>
<sample src="WebViewFileAccessSafe.java"/>
</example>
<references>
<li>
Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)">WebSettings.setAllowFileAccess</a>.
</li>
<li>
Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs(boolean)">WebSettings.setAllowFileAccessFromFileURLs</a>.
</li>
</references>
</qhelp>