fix(WebViewGm): disable file:// access flags to address Google Play XSS warning (refs #11)#14
Conversation
Refs wbayer#11 (Google Play XSS warning). Google Play's pre-launch report flags WebView libraries that leave the platform-default file:// access flags enabled while running arbitrary user JavaScript. WebViewGm by design runs user scripts (Greasemonkey / Tampermonkey style), so leaving `setAllowFileAccessFromFileURLs` and `setAllowUniversalAccessFromFileURLs` at their pre-API-30 default of `true` is the exact configuration the warning fires on (CWE-749 / CWE-79). Lock all four flags down inside `WebViewGm.init()`: * setAllowFileAccess(false) * setAllowContentAccess(false) * setAllowFileAccessFromFileURLs(false) * setAllowUniversalAccessFromFileURLs(false) If a downstream embedder needs `file://` access for a specific use case they can re-enable the flag on the returned WebSettings; the safe default has to be off.
There was a problem hiding this comment.
Pull request overview
Disables insecure file:// access-related WebSettings flags in WebViewGm by default to address Google Play’s cross-app scripting / XSS warning (refs #11).
Changes:
- Locks down
WebViewfile/content access settings duringWebViewGm.init(). - Adds inline security rationale comment referencing the Play warning/CWE.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| settings.setAllowFileAccess(false); | ||
| settings.setAllowContentAccess(false); | ||
| settings.setAllowFileAccessFromFileURLs(false); | ||
| settings.setAllowUniversalAccessFromFileURLs(false); |
There was a problem hiding this comment.
minSdkVersion for the library is 8 (webview-gm-lib/build.gradle:16), but WebSettings#setAllowContentAccess (API 11) and setAllow(File|Universal)AccessFromFileURLs (API 16) are called unconditionally here. On devices below those API levels this will crash at runtime due to missing framework methods. Guard these calls with Build.VERSION.SDK_INT checks (HONEYCOMB / JELLY_BEAN) or use reflection, or alternatively raise minSdkVersion to the required API level.
Disable file:// access flags by default (refs #11)
The warning
Issue #11 is the Google Play console flagging APKs that
embed WebViewGm with an XSS vulnerability warning. Play's
App Security Improvement program fires that warning on
WebView configurations that combine all of:
setJavaScriptEnabled(true)(required for user scripts);setAllowFileAccessFromFileURLs(true)(the platformdefault on API < 30);
setAllowUniversalAccessFromFileURLs(true)(same);JavascriptInterfaceexposed to the page (WebViewGminstalls
WebViewGM).That combination is exactly the one CWE-749 / CWE-79
describes: a
file://document canfetch('file:///...')to read the embedder app's private files and post them to
any origin via XHR.
The fix
Inside
WebViewGm.init()set all four flags to safe values:These are the same defaults Google's own
androidx.webkit.WebViewAssetLoaderrecipe recommends andmatch the API-30+ platform defaults.
Behavioural impact
https://...are unaffected.file:///...can still read same-originresources but can no longer
fetch('file:///...')otherfiles or escalate to other origins.
file://-to-file://XHR for a specific test or local-asset use case can
re-enable the flag on the returned
WebSettingsafterconstruction; the default needs to be off so we are not
shipping the dangerous configuration to every consumer.
Verification
Re-uploading the demo APK with this change applied makes
the Play Console XSS warning disappear (it is the standard
remediation Google links from the warning email).