AndroidWebViewSettingsFileAccess.qhelp

<!DOCTYPE qhelp PUBLIC
 "-//Semmle//qhelp//EN"
 "qhelp.dtd">
<qhelp>
  <overview>
    <p>
      File access in an Android WebView can expose the device's file system to
      the JavaScript running in the WebView. If there are vulnerabilities in the
      JavaScript or untrusted content is loaded in the WebView, file access may
      allow an attacker to access or steal the user's data.
    </p>
  </overview>

  <recommendation>
    <p>When possible, you should not allow file access. The file access settings
    are disabled by default. You can explicitly disbale them by setting the
    following settings to <code>false</code>:</p>

    <ul>
      <li><code>setAllowFileAccess</code></li>
      <li><code>setAllowFileAccessFromFileURLs</code></li>
      <li><code>setAllowUniversalAccessFromFileURLs</code></li>
    </ul>
  </recommendation>

  <example>
    <p>In the following (bad) example, the WebView is configured with the settings
    which would allow local file access.</p>

    <sample src="WebViewFileAccessUnsafe.java"/>

    <p>In the following (good) example, the WebView is configured to disallow file access.</p>

    <sample src="WebViewFileAccessSafe.java"/>

  </example>

  <references>
    <li>
      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)">WebSettings.setAllowFileAccess</a>.
    </li>
    <li>
      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs(boolean)">WebSettings.setAllowFileAccessFromFileURLs</a>.
    </li>
    <li>
      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)">WebSettings.setAllowUniversalAccessFromFileURLs</a>.
    </li>
  </references>

</qhelp>