diff --git a/changelog.d/9144.bugfix b/changelog.d/9144.bugfix
new file mode 100644
index 00000000000..3dd7cf762d0
--- /dev/null
+++ b/changelog.d/9144.bugfix
@@ -0,0 +1 @@
+Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView. Both call sites only load http/https URLs, so the flags are not load-bearing and are CWE-200 sandbox-escape vectors when left on.
diff --git a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt
index 6e7cb9e4684..1b447f0a2ae 100644
--- a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt
+++ b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt
@@ -55,10 +55,14 @@ class VectorWebViewActivity : VectorBaseActivity<ActivityVectorWebViewBinding>()
             // Allow use of Local Storage
             domStorageEnabled = true
 
-            @Suppress("DEPRECATION")
-            allowFileAccessFromFileURLs = true
-            @Suppress("DEPRECATION")
-            allowUniversalAccessFromFileURLs = true
+            // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs
+            // only take effect when the main frame is a file:// URL. This
+            // Activity is launched with EXTRA_URL set to an http/https URL
+            // (identity-server terms pages, SSO fallback, etc.), so neither
+            // flag is load-bearing here, and
+            // allowUniversalAccessFromFileURLs in particular is a
+            // CWE-200 sandbox-escape vector if a file:// load ever lands
+            // in this Activity.
 
             displayZoomControls = false
         }
diff --git a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt
index 657f63cea7e..195b6d6d872 100644
--- a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt
+++ b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt
@@ -42,10 +42,11 @@ fun WebView.setupForWidget(activity: Activity,
     // Allow use of Local Storage
     settings.domStorageEnabled = true
 
-    @Suppress("DEPRECATION")
-    settings.allowFileAccessFromFileURLs = true
-    @Suppress("DEPRECATION")
-    settings.allowUniversalAccessFromFileURLs = true
+    // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs
+    // only take effect when the main frame is a file:// URL. Widgets are
+    // always served from an https widget URL, so neither flag is
+    // load-bearing here, and allowUniversalAccessFromFileURLs in
+    // particular is a CWE-200 sandbox-escape vector.
 
     settings.displayZoomControls = false