From dbd139055aee9379d70b80d40cf7ae9154647d84 Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 20:48:51 +0200 Subject: [PATCH] Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in the two simple WebViews VectorWebViewActivity (the 'simple' WebView used to open identity server terms pages, SSO fallback URLs and similar links) and WidgetWebView (the WebView that hosts Matrix widget integrations) both turn on: allowFileAccessFromFileURLs = true // @Suppress(DEPRECATION) allowUniversalAccessFromFileURLs = true // @Suppress(DEPRECATION) Both flags only take effect when the main frame is itself a file:// URL. VectorWebViewActivity is invoked via getIntent(context, url, ...) and every call site that builds that intent supplies an http or https URL. WidgetWebView is pointed at the widget's https URL. No call site loads a file:// document into either WebView, so neither flag is load-bearing for any existing path. allowUniversalAccessFromFileURLs in particular lets a file:// page XHR any origin, the classic CWE-200 sandbox escape, and is the reason the AOSP API was deprecated. The @Suppress comments suggest the deprecation warning was acknowledged but the flags themselves were not re-evaluated. Drop both lines in both files. Behaviour for the existing https widget and link flows is unchanged. On pre-API-30 devices (where the WebView defaults to true for both flags) this is a tightening rather than a no-op. --- changelog.d/9144.bugfix | 1 + .../app/features/webview/VectorWebViewActivity.kt | 12 ++++++++---- .../app/features/widgets/webview/WidgetWebView.kt | 9 +++++---- 3 files changed, 14 insertions(+), 8 deletions(-) create mode 100644 changelog.d/9144.bugfix diff --git a/changelog.d/9144.bugfix b/changelog.d/9144.bugfix new file mode 100644 index 00000000000..3dd7cf762d0 --- /dev/null +++ b/changelog.d/9144.bugfix @@ -0,0 +1 @@ +Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView. Both call sites only load http/https URLs, so the flags are not load-bearing and are CWE-200 sandbox-escape vectors when left on. diff --git a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt index 6e7cb9e4684..1b447f0a2ae 100644 --- a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt +++ b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt @@ -55,10 +55,14 @@ class VectorWebViewActivity : VectorBaseActivity() // Allow use of Local Storage domStorageEnabled = true - @Suppress("DEPRECATION") - allowFileAccessFromFileURLs = true - @Suppress("DEPRECATION") - allowUniversalAccessFromFileURLs = true + // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs + // only take effect when the main frame is a file:// URL. This + // Activity is launched with EXTRA_URL set to an http/https URL + // (identity-server terms pages, SSO fallback, etc.), so neither + // flag is load-bearing here, and + // allowUniversalAccessFromFileURLs in particular is a + // CWE-200 sandbox-escape vector if a file:// load ever lands + // in this Activity. displayZoomControls = false } diff --git a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt index 657f63cea7e..195b6d6d872 100644 --- a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt +++ b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt @@ -42,10 +42,11 @@ fun WebView.setupForWidget(activity: Activity, // Allow use of Local Storage settings.domStorageEnabled = true - @Suppress("DEPRECATION") - settings.allowFileAccessFromFileURLs = true - @Suppress("DEPRECATION") - settings.allowUniversalAccessFromFileURLs = true + // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs + // only take effect when the main frame is a file:// URL. Widgets are + // always served from an https widget URL, so neither flag is + // load-bearing here, and allowUniversalAccessFromFileURLs in + // particular is a CWE-200 sandbox-escape vector. settings.displayZoomControls = false