• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Android WebView settings allows access to content links

ID: java/android/websettings-allow-content-access
Kind: problem
Security severity: 6.5
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-200
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Android can provide access to content providers within a WebView using the setAllowContentAccess setting.

Allowing access to content providers via content:// URLs may allow JavaScript to access protected content.

Recommendation

If your app does not require access to the content:// URL functionality, you should explicitly disable the setting by calling setAllowContentAccess(false) on the settings of the WebView.

Example

In the following (bad) example, access to content:// URLs is explicitly allowed.

WebSettings settings = webview.getSettings();

// BAD: WebView is configured to allow content access
settings.setAllowContentAccess(true);

In the following (good) example, access to content:// URLs is explicitly denied.

WebSettings settings = webview.getSettings();

// GOOD: WebView is configured to disallow content access
settings.setAllowContentAccess(false);

References

• Android Documentation: setAllowContentAccess.

• Common Weakness Enumeration: CWE-200.

• © GitHub, Inc.
• Terms
• Privacy