-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathAndroidWebViewSettingsAllowsContentAccess.qhelp
More file actions
38 lines (30 loc) · 1.19 KB
/
AndroidWebViewSettingsAllowsContentAccess.qhelp
File metadata and controls
38 lines (30 loc) · 1.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Android can provide access to content providers within a WebView using
the <code>setAllowContentAccess</code> setting.</p>
<p>Allowing access to content providers via <code>content://</code> URLs
may allow JavaScript to access protected content.</p>
</overview>
<recommendation>
<p>
If your app does not require access to the <code>content://</code> URL
functionality, you should explicitly disable the setting by
calling <code>setAllowContentAccess(false)</code> on the settings of the
WebView.
</p>
</recommendation>
<example>
<p>In the following (bad) example, access to <code>content://</code> URLs is explicitly allowed.</p>
<sample src="ContentAccessEnabled.java"/>
<p>In the following (good) example, access to <code>content://</code> URLs is explicitly denied.</p>
<sample src="ContentAccessDisabled.java"/>
</example>
<references>
<li>
Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)">setAllowContentAccess</a>.
</li>
</references>
</qhelp>