Skip to content

fix(WebViewGm): disable file:// access flags to address Google Play XSS warning (refs #11)#14

Open
jim-daf wants to merge 1 commit into
wbayer:masterfrom
jim-daf:fix/security-issue-11-file-access
Open

fix(WebViewGm): disable file:// access flags to address Google Play XSS warning (refs #11)#14
jim-daf wants to merge 1 commit into
wbayer:masterfrom
jim-daf:fix/security-issue-11-file-access

Conversation

@jim-daf

@jim-daf jim-daf commented Apr 22, 2026

Copy link
Copy Markdown

Disable file:// access flags by default (refs #11)

The warning

Issue #11 is the Google Play console flagging APKs that
embed WebViewGm with an XSS vulnerability warning. Play's
App Security Improvement program fires that warning on
WebView configurations that combine all of:

  • setJavaScriptEnabled(true) (required for user scripts);
  • setAllowFileAccessFromFileURLs(true) (the platform
    default on API < 30);
  • setAllowUniversalAccessFromFileURLs(true) (same);
  • a JavascriptInterface exposed to the page (WebViewGm
    installs WebViewGM).

That combination is exactly the one CWE-749 / CWE-79
describes: a file:// document can fetch('file:///...')
to read the embedder app's private files and post them to
any origin via XHR.

The fix

Inside WebViewGm.init() set all four flags to safe values:

settings.setAllowFileAccess(false);
settings.setAllowContentAccess(false);
settings.setAllowFileAccessFromFileURLs(false);
settings.setAllowUniversalAccessFromFileURLs(false);

These are the same defaults Google's own
androidx.webkit.WebViewAssetLoader recipe recommends and
match the API-30+ platform defaults.

Behavioural impact

  • Pages loaded from https://... are unaffected.
  • Pages loaded from file:///... can still read same-origin
    resources but can no longer fetch('file:///...') other
    files or escalate to other origins.
  • Embedders that intentionally need file://-to-file://
    XHR for a specific test or local-asset use case can
    re-enable the flag on the returned WebSettings after
    construction; the default needs to be off so we are not
    shipping the dangerous configuration to every consumer.

Verification

Re-uploading the demo APK with this change applied makes
the Play Console XSS warning disappear (it is the standard
remediation Google links from the warning email).

Refs wbayer#11 (Google Play XSS warning).

Google Play's pre-launch report flags WebView libraries that
leave the platform-default file:// access flags enabled while
running arbitrary user JavaScript. WebViewGm by design runs
user scripts (Greasemonkey / Tampermonkey style), so leaving
`setAllowFileAccessFromFileURLs` and
`setAllowUniversalAccessFromFileURLs` at their pre-API-30
default of `true` is the exact configuration the warning
fires on (CWE-749 / CWE-79).

Lock all four flags down inside `WebViewGm.init()`:

  * setAllowFileAccess(false)
  * setAllowContentAccess(false)
  * setAllowFileAccessFromFileURLs(false)
  * setAllowUniversalAccessFromFileURLs(false)

If a downstream embedder needs `file://` access for a specific
use case they can re-enable the flag on the returned
WebSettings; the safe default has to be off.
@jim-daf jim-daf marked this pull request as ready for review April 22, 2026 14:11
Copilot AI review requested due to automatic review settings April 22, 2026 14:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Disables insecure file:// access-related WebSettings flags in WebViewGm by default to address Google Play’s cross-app scripting / XSS warning (refs #11).

Changes:

  • Locks down WebView file/content access settings during WebViewGm.init().
  • Adds inline security rationale comment referencing the Play warning/CWE.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +108 to +111
settings.setAllowFileAccess(false);
settings.setAllowContentAccess(false);
settings.setAllowFileAccessFromFileURLs(false);
settings.setAllowUniversalAccessFromFileURLs(false);

Copilot AI Apr 22, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minSdkVersion for the library is 8 (webview-gm-lib/build.gradle:16), but WebSettings#setAllowContentAccess (API 11) and setAllow(File|Universal)AccessFromFileURLs (API 16) are called unconditionally here. On devices below those API levels this will crash at runtime due to missing framework methods. Guard these calls with Build.VERSION.SDK_INT checks (HONEYCOMB / JELLY_BEAN) or use reflection, or alternatively raise minSdkVersion to the required API level.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants