Android WebView settings allows access to content links — CodeQL query help documentation CodeQL docs

CodeQL resources

Android WebView settings allows access to content links¶

ID: java/android/websettings-allow-content-access
Kind: problem
Security severity: 6.5
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-200
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Android can provide access to content providers within a WebView using the setAllowContentAccess setting.

Allowing access to content providers via content:// URLs may allow JavaScript to access protected content.

Recommendation¶

If your app does not require access to the content:// URL functionality, you should explicitly disable the setting by calling setAllowContentAccess(false) on the settings of the WebView.

Example¶

In the following (bad) example, access to content:// URLs is explicitly allowed.

WebSettings settings = webview.getSettings();

// BAD: WebView is configured to allow content access
settings.setAllowContentAccess(true);

In the following (good) example, access to content:// URLs is explicitly denied.

WebSettings settings = webview.getSettings();

// GOOD: WebView is configured to disallow content access
settings.setAllowContentAccess(false);

References¶

Android Documentation: setAllowContentAccess.
Common Weakness Enumeration: CWE-200.

© GitHub, Inc.
Terms
Privacy