file://path/file
, to access the file.Sets whether cross-origin requests in the context of a file scheme URL should be allowed to access content from any origin. This includes access to content from other file scheme URLs or web contexts. Note that some access such as image HTML elements doesn't follow same-origin rules and isn't affected by this setting.Don't enable this setting if you open files that may be created or altered by external sources. Enabling this setting allows malicious scripts loaded in afile://
context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, app private data or even credentials used on arbitrary web sites.
Origin: file://
if the response doesn't allow that origin (Access-Control-Allow-Origin: file://
) then the content won't be loaded.
The default value is false
when targeting Build.VERSION_CODES.JELLY_BEAN
and above.getAllowUniversalAccessFromFileURLs()
to know whether JavaScript running in the context of a file scheme URL can access content from any origin (if UniversalAccessFromFileURL is enabled).loadDataWithBaseURL()
with null
as baseURL will also prevent to load local files even if all the dangerous settings are enabled.Sets whether cross-origin requests in the context of a file scheme URL should be allowed to access content from other file scheme URLs. Note that some accesses such as image HTML elements don't follow same-origin rules and aren't affected by this setting.Don't enable this setting if you open files that may be created or altered by external sources. Enabling this setting allows malicious scripts loaded in afile://
context to access arbitrary local files including WebView cookies and app private data.
file://
protocol.
Note that the value of this setting is ignored if the value of getAllowUniversalAccessFromFileURLs()
is true
.
The default value is false
when targeting Build.VERSION_CODES.JELLY_BEAN
and above.getAllowFileAccessFromFileURLs()
to know whether JavaScript is running in the context of a file scheme URL can access content from other file scheme URLs.Enables or disables file access within WebView. Note that this enables or disables file system access only. Assets and resources are still accessible using file:///android_asset and file:///android_res.
file://
protocol.
The default value isfalse
when targeting Build.VERSION_CODES.R
and above.Helper class to load local files including application's static assets and resources using http(s):// URLs inside aWebView
class. Loading local files using web-like URLs instead of"file://"
is desirable as it is compatible with the Same-Origin policy.
setJavaScriptEnabled()
is can explicitly enabling or disabling it.
Note that webviews can also support the intent
scheme that allows to fire other applications. Read this writeup to find how to go from XSS to RCE.@JavascriptInterface
) by using the addJavascriptInterface
method. This is known as a WebView JavaScript bridge or native bridge.addJavascriptInterface
, you're explicitly granting access to the registered JavaScript Interface object to all pages loaded within that WebView. This implies that, if the user navigates outside your app or domain, all other external pages will also have access to those JavaScript Interface objects which might present a potential security risk if any sensitive data is being exposed though those interfaces.Warning: Take extreme care with apps targeting Android versions below Android 4.2 (API level 17) as they are vulnerable to a flaw in the implementation ofaddJavascriptInterface
: an attack that is abusing reflection, which leads to remote code execution when malicious JavaScript is injected into a WebView. This was due to all Java Object methods being accessible by default (instead of only those annotated).
addJavascriptInterface
is necessary, take the following considerations:WebView.getUrl
).<uses-sdk android:minSdkVersion="17" />
).@JavascriptInterface
annotation that indicates to the JavascriptBridge that only the method with this annotation should be exposed.
In that scenario, you won't be able to abuse Reflection to execute arbitrary code.debuggable
flag in the application's manifest. If you want to enable WebView debugging only when debuggable
is true
, test the flag at runtime.