Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView#285
Closed
jim-daf wants to merge 1 commit into
Closed
Conversation
… in the two simple WebViews
VectorWebViewActivity (the 'simple' WebView used to open Matrix
identity / IS terms URLs and similar links) and WidgetWebView (the
WebView that hosts Matrix widget integrations) both turn on:
allowFileAccessFromFileURLs = true // @Suppress(DEPRECATION)
allowUniversalAccessFromFileURLs = true // @Suppress(DEPRECATION)
Both flags only take effect when the main frame is itself a file://
URL. VectorWebViewActivity is launched with an http/https URL via
EXTRA_URL, and WidgetWebView is pointed at the widget's https URL. No
call site loads a file:// document into either WebView, so neither
flag is load-bearing for any existing path.
allowUniversalAccessFromFileURLs in particular lets a file:// page
XHR any origin, the classic CWE-200 sandbox escape. The @Suppress
comments suggest the deprecation warning was acknowledged but the
flags were never re-evaluated.
Drop both lines in both files. Behaviour for the existing https
widget and link flows is unchanged. On pre-API-30 devices (where
the WebView defaults to true for both flags) this is a tightening
rather than a no-op.
Member
|
Please PR to Element directly if you consider this necessary. |
This was referenced May 13, 2026
Author
|
Filed upstream as element-hq/element-android#9145. Closing this so the change can come back through the normal upstream sync once it merges there. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #284.
Two WebView setup paths still toggle the deprecated
allowFileAccessFromFileURLsandallowUniversalAccessFromFileURLsflags even though neither WebView ever loads afile://main frame.VectorWebViewActivity
Launched with
EXTRA_URLset to an http/https URL (identity-server terms pages, third-party-id links, etc.). The two flags only take effect on afile://main frame, so they do nothing for the actual launch paths.WidgetWebView
Widgets are served from the integration server's https widget URL. Same reasoning applies.
Why drop them
allowUniversalAccessFromFileURLs = truelets afile://page XHR any origin (CWE-200, the classic sandbox escape). It is unsafe to leave on as a safety margin if a future code path ever loads afile://document into one of these WebViews. The@Suppress("DEPRECATION")annotations suggest the deprecation warning was acknowledged but the flags were never re-evaluated.On pre-API-30 devices both flags default to
true, so removing the explicit= truelines is a tightening on those devices rather than a no-op only on API 30+.Scope
Two files, four lines removed, two short comments added explaining why. No other WebView setting touched.
(The same flags also live in the matching upstream files in
element-hq/element-android. This PR covers the SchildiChat tree only.)