Two WebView setup paths still toggle the deprecated allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs flags.
VectorWebViewActivity
vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt:
views.simpleWebview.settings.apply {
javaScriptEnabled = true
...
domStorageEnabled = true
@Suppress("DEPRECATION")
allowFileAccessFromFileURLs = true
@Suppress("DEPRECATION")
allowUniversalAccessFromFileURLs = true
displayZoomControls = false
}
...
val url = intent.extras?.getString(EXTRA_URL) ?: returnEXTRA_URL is always an http/https URL. The Activity is invoked through VectorWebViewActivity.getIntent(context, url, ...), and every call site that builds that intent (identity-server terms pages, SSO fallback, etc.) supplies an http or https URL. The WebView never loads a file:// main frame.
WidgetWebView
vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt:
@Suppress("DEPRECATION")
settings.allowFileAccessFromFileURLs = true
@Suppress("DEPRECATION")
settings.allowUniversalAccessFromFileURLs = trueWidgets are served from the integration server's https widget URL. There is no widget flow that loads a file:// document.
Why this matters
Both flags only take effect when the WebView's main frame is itself a file:// URL. Since neither call site loads one, the flags are not load-bearing for any current path. allowUniversalAccessFromFileURLs in particular lets a file:// page XHR any origin, the classic CWE-200 sandbox escape, and is the reason the docs marked the API deprecated. The @Suppress("DEPRECATION") lines suggest the deprecation warning was noticed but the flags themselves were not re-evaluated.
On pre-API-30 devices the WebView defaults are true for both, so removing the explicit true lines is a tightening on those devices rather than a no-op only on API 30+.
Suggested fix
Drop both = true lines in both files. The https widget and link flows continue to work unchanged.
Context
This was originally filed against the SchildiChat fork (SchildiChat/SchildiChat-android#284, #285). The maintainer asked me to file it upstream, so this issue is the upstream version. A PR is open at #9145.
Two WebView setup paths still toggle the deprecated
allowFileAccessFromFileURLsandallowUniversalAccessFromFileURLsflags.VectorWebViewActivity
vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt:EXTRA_URLis always an http/https URL. The Activity is invoked throughVectorWebViewActivity.getIntent(context, url, ...), and every call site that builds that intent (identity-server terms pages, SSO fallback, etc.) supplies an http or https URL. The WebView never loads afile://main frame.WidgetWebView
vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt:Widgets are served from the integration server's https widget URL. There is no widget flow that loads a
file://document.Why this matters
Both flags only take effect when the WebView's main frame is itself a
file://URL. Since neither call site loads one, the flags are not load-bearing for any current path.allowUniversalAccessFromFileURLsin particular lets afile://page XHR any origin, the classic CWE-200 sandbox escape, and is the reason the docs marked the API deprecated. The@Suppress("DEPRECATION")lines suggest the deprecation warning was noticed but the flags themselves were not re-evaluated.On pre-API-30 devices the WebView defaults are
truefor both, so removing the explicittruelines is a tightening on those devices rather than a no-op only on API 30+.Suggested fix
Drop both
= truelines in both files. The https widget and link flows continue to work unchanged.Context
This was originally filed against the SchildiChat fork (SchildiChat/SchildiChat-android#284, #285). The maintainer asked me to file it upstream, so this issue is the upstream version. A PR is open at #9145.