-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathWebviewDebuggingEnabled.qhelp
More file actions
38 lines (29 loc) · 1.34 KB
/
WebviewDebuggingEnabled.qhelp
File metadata and controls
38 lines (29 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The <code>WebView.setWebContentsDebuggingEnabled</code> method enables or disables the contents of any <code>WebView</code> in the application to be debugged.</p>
<p>Enabling debugging features could allow for additional entry points or leaking sensitive information.
As such, debugging should only be enabled during development, and disabled in production builds.</p>
</overview>
<recommendation>
<p>Ensure that debugging features are not enabled in production builds.
If <code>WebView.setWebContentsDebuggingEnabled(true)</code> is used, ensure that it is guarded by a flag indicating that this is a debug build.</p>
</recommendation>
<example>
<p>In the code below, the BAD case shows WebView debugging always being enabled,
whereas the GOOD case only enables it if the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
<sample src="WebviewDebuggingEnabled.java" />
</example>
<references>
<li>
Android Developers:
<a href="https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)">setWebContentsDebuggingEnabled</a>.
</li>
<li>
Android Developers:
<a href="https://developer.chrome.com/docs/devtools/remote-debugging/webviews/">Remote debugging WebViews</a>.
</li>
</references>
</qhelp>