💎 Don't allow loading files from the res and assets folder if file access is disabled

balazsgerlei / SecureWebView

Android WebView wrapper with secure defaults to avoid security issues caused by misconfiguring WebViews.

Creative Commons Zero v1.0 Universal

3 stars 2 forks source link

💎 Don't allow loading files from the res and assets folder if file access is disabled #6

Closed balazsgerlei closed 3 months ago

balazsgerlei commented 3 months ago

In SecureWebView, file access is disabled by default (by calling setAllowFileAccess(false) on the underlying WebView) but it turns out that doesn't prevent loading files shipped with the APK in the res or assets folder.

The solution would be to prevent loading URIs with the file:// scheme at all.