• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Android WebView settings allows access to content links

ID: java/android/websettings-allow-content-access Kind: problem Security severity: 6.5 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-200 Query suites: - java-security-extended.qls - java-security-and-quality.qls 

Click to see the query in the CodeQL repository

Android can provide access to content providers within a WebView using the setAllowContentAccess setting.

Allowing access to content providers via content:// URLs may allow JavaScript to access protected content.

Recommendation

If your app does not require access to the content:// URL functionality, you should explicitly disable the setting by calling setAllowContentAccess(false) on the settings of the WebView.

Example

In the following (bad) example, access to content:// URLs is explicitly allowed.

WebSettings settings = webview.getSettings(); // BAD: WebView is configured to allow content access settings.setAllowContentAccess(true); 

In the following (good) example, access to content:// URLs is explicitly denied.

WebSettings settings = webview.getSettings(); // GOOD: WebView is configured to disallow content access settings.setAllowContentAccess(false); 

References

• Android Documentation: setAllowContentAccess.

• Common Weakness Enumeration: CWE-200.

• © GitHub, Inc.
• Terms
• Privacy