-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathWebviewDebuggingEnabled.qhelp
More file actions
36 lines (27 loc) · 1.37 KB
/
WebviewDebuggingEnabled.qhelp
File metadata and controls
36 lines (27 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The <code>WebView.setWebContentsDebuggingEnabled</code> method enables or disables the contents of any <code>WebView</code> in the application to be debugged.</p>
<p>You should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.</p>
</overview>
<recommendation>
<p>Ensure that debugging features are not enabled in production builds, such as by guarding calls to <code>WebView.setWebContentsDebuggingEnabled(true)</code> by a flag that is only enabled in debug builds. </p>
</recommendation>
<example>
<p>In the first (bad) example, WebView debugging is always enabled.
whereas the GOOD case only enables it if the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
<sample src="WebviewDebuggingEnabled.java" />
</example>
<references>
<li>
Android Developers:
<a href="https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)">setWebContentsDebuggingEnabled</a>.
</li>
<li>
Android Developers:
<a href="https://developer.chrome.com/docs/devtools/remote-debugging/webviews/">Remote debugging WebViews</a>.
</li>
</references>
</qhelp>