From 021b66539fceb939e7052f3e632b7b9d7251ab1b Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 20:25:45 +0200 Subject: [PATCH] Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in the two simple WebViews VectorWebViewActivity (the 'simple' WebView used to open Matrix identity / IS terms URLs and similar links) and WidgetWebView (the WebView that hosts Matrix widget integrations) both turn on: allowFileAccessFromFileURLs = true // @Suppress(DEPRECATION) allowUniversalAccessFromFileURLs = true // @Suppress(DEPRECATION) Both flags only take effect when the main frame is itself a file:// URL. VectorWebViewActivity is launched with an http/https URL via EXTRA_URL, and WidgetWebView is pointed at the widget's https URL. No call site loads a file:// document into either WebView, so neither flag is load-bearing for any existing path. allowUniversalAccessFromFileURLs in particular lets a file:// page XHR any origin, the classic CWE-200 sandbox escape. The @Suppress comments suggest the deprecation warning was acknowledged but the flags were never re-evaluated. Drop both lines in both files. Behaviour for the existing https widget and link flows is unchanged. On pre-API-30 devices (where the WebView defaults to true for both flags) this is a tightening rather than a no-op. --- .../app/features/webview/VectorWebViewActivity.kt | 11 +++++++---- .../app/features/widgets/webview/WidgetWebView.kt | 9 +++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt index 6e7cb9e4684..d1713633a31 100644 --- a/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt +++ b/vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt @@ -55,10 +55,13 @@ class VectorWebViewActivity : VectorBaseActivity() // Allow use of Local Storage domStorageEnabled = true - @Suppress("DEPRECATION") - allowFileAccessFromFileURLs = true - @Suppress("DEPRECATION") - allowUniversalAccessFromFileURLs = true + // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs + // only take effect when the main frame is a file:// URL. This + // WebView is launched with an http/https URL (see EXTRA_URL + // wiring), so neither flag is load-bearing here, and + // allowUniversalAccessFromFileURLs in particular is a + // CWE-200 sandbox-escape vector if a file:// load ever lands + // in this Activity. displayZoomControls = false } diff --git a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt index 657f63cea7e..195b6d6d872 100644 --- a/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt +++ b/vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt @@ -42,10 +42,11 @@ fun WebView.setupForWidget(activity: Activity, // Allow use of Local Storage settings.domStorageEnabled = true - @Suppress("DEPRECATION") - settings.allowFileAccessFromFileURLs = true - @Suppress("DEPRECATION") - settings.allowUniversalAccessFromFileURLs = true + // allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs + // only take effect when the main frame is a file:// URL. Widgets are + // always served from an https widget URL, so neither flag is + // load-bearing here, and allowUniversalAccessFromFileURLs in + // particular is a CWE-200 sandbox-escape vector. settings.displayZoomControls = false