search

ionic-team / capacitor

Build cross-platform Native Progressive Web Apps for iOS, Android, and the Web ⚡️
https://capacitorjs.com
MIT License
12.14k stars 1.01k forks source link

improvement: re-evaluate WebView's "allowFileAccessFromFileURLs" flag on iOS #6131

Closed Dervol03 closed 1 year ago

Dervol03 commented 1 year ago

Description

As capacitor is now using a custom scheme to load its data on iOS, it is very likely that allowFileAccessFromFileURLs can now be deactivated for WebView. During a pentest of our application, it was considered a security risk by the pentesters.

Platform(s)

ios

Preferred Solution

Remove the flag or explicitly set it to false

Discussed in https://github.com/ionic-team/capacitor/discussions/6124

Originally posted by **Dervol03** November 29, 2022 Hi everyone, we recently had a pentest for our app and one of the issues raised during the process was that `allowFileAccessFromFileURLs` is `true` for the webview on iOS. However, it is not set for the android counterpart code. This raises the question whether it is still necessary for capacitor to operate correctly or just an historical oversight due to a necessity in the past?
ionitron-bot[bot] commented 1 year ago

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.