Skip to content

Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView#285

Closed
jim-daf wants to merge 1 commit into
SchildiChat:scfrom
jim-daf:fix-webview-file-url-flags
Closed

Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView#285
jim-daf wants to merge 1 commit into
SchildiChat:scfrom
jim-daf:fix-webview-file-url-flags

Conversation

@jim-daf

@jim-daf jim-daf commented May 13, 2026

Copy link
Copy Markdown

Closes #284.

Two WebView setup paths still toggle the deprecated allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs flags even though neither WebView ever loads a file:// main frame.

VectorWebViewActivity

Launched with EXTRA_URL set to an http/https URL (identity-server terms pages, third-party-id links, etc.). The two flags only take effect on a file:// main frame, so they do nothing for the actual launch paths.

WidgetWebView

Widgets are served from the integration server's https widget URL. Same reasoning applies.

Why drop them

allowUniversalAccessFromFileURLs = true lets a file:// page XHR any origin (CWE-200, the classic sandbox escape). It is unsafe to leave on as a safety margin if a future code path ever loads a file:// document into one of these WebViews. The @Suppress("DEPRECATION") annotations suggest the deprecation warning was acknowledged but the flags were never re-evaluated.

On pre-API-30 devices both flags default to true, so removing the explicit = true lines is a tightening on those devices rather than a no-op only on API 30+.

Scope

Two files, four lines removed, two short comments added explaining why. No other WebView setting touched.

(The same flags also live in the matching upstream files in element-hq/element-android. This PR covers the SchildiChat tree only.)

… in the two simple WebViews

VectorWebViewActivity (the 'simple' WebView used to open Matrix
identity / IS terms URLs and similar links) and WidgetWebView (the
WebView that hosts Matrix widget integrations) both turn on:

    allowFileAccessFromFileURLs       = true   // @Suppress(DEPRECATION)
    allowUniversalAccessFromFileURLs  = true   // @Suppress(DEPRECATION)

Both flags only take effect when the main frame is itself a file://
URL. VectorWebViewActivity is launched with an http/https URL via
EXTRA_URL, and WidgetWebView is pointed at the widget's https URL. No
call site loads a file:// document into either WebView, so neither
flag is load-bearing for any existing path.

allowUniversalAccessFromFileURLs in particular lets a file:// page
XHR any origin, the classic CWE-200 sandbox escape. The @Suppress
comments suggest the deprecation warning was acknowledged but the
flags were never re-evaluated.

Drop both lines in both files. Behaviour for the existing https
widget and link flows is unchanged. On pre-API-30 devices (where
the WebView defaults to true for both flags) this is a tightening
rather than a no-op.
@SpiritCroc

Copy link
Copy Markdown
Member

Please PR to Element directly if you consider this necessary.

@jim-daf

jim-daf commented May 13, 2026

Copy link
Copy Markdown
Author

Filed upstream as element-hq/element-android#9145. Closing this so the change can come back through the normal upstream sync once it merges there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

VectorWebViewActivity and WidgetWebView enable the FromFileURLs flags despite only loading https URLs

2 participants