-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathAndroidWebViewSettingsFileAccess.qhelp
More file actions
64 lines (53 loc) · 2.44 KB
/
AndroidWebViewSettingsFileAccess.qhelp
File metadata and controls
64 lines (53 loc) · 2.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
File access in an Android WebView can expose the device's file system to
the JavaScript running in the WebView. If there are vulnerabilities in the
JavaScript or untrusted content is loaded in the WebView, file access may
allow an attacker to access or steal the user's data.
</p>
</overview>
<recommendation>
<p>When possible, you should not allow file access. The file access settings
are disabled by default. You can explicitly disbale them by setting the
following settings to <code>false</code>:</p>
<ul>
<li><code>setAllowFileAccess</code></li>
<li><code>setAllowFileAccessFromFileURLs</code></li>
<li><code>setAllowUniversalAccessFromFileURLs</code></li>
</ul>
<p>If your application requires access to the file system, it is best to
avoid using <code>file://</code> urls, and instead use an alternative that
allows loading files via https, such
as <code>androidx.webkit.WebViewAssetLoader</code>.</p>
</recommendation>
<example>
<p>In the following (bad) example, the WebView is configured with the settings
which would allow local file access.</p>
<sample src="WebViewFileAccessUnsafe.java"/>
<p>In the following (good) example, the WebView is configured to disallow file access.</p>
<sample src="WebViewFileAccessSafe.java"/>
<p>
In the following example, an asset loader is configured so that assets can
be access over <code>https</code>, and not require file system access.
</p>
<sample src="AssetLoaderExample.java"/>
</example>
<references>
<li>
Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)">WebSettings.setAllowFileAccess</a>.
</li>
<li>
Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs(boolean)">WebSettings.setAllowFileAccessFromFileURLs</a>.
</li>
<li>
Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)">WebSettings.setAllowUniversalAccessFromFileURLs</a>.
</li>
<li>
Android documentation: <a href="https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader">WebViewAssetLoader</a>.
</li>
</references>
</qhelp>