From 934be88bf8eb324240822838309e8efebde4cb53 Mon Sep 17 00:00:00 2001
From: dimitris <jimitrakis11@gmail.com>
Date: Wed, 13 May 2026 19:22:30 +0200
Subject: [PATCH] fix(webview): drop allowFileAccessFromFileURLs and unneeded
 allowFileAccess in WebViewLayout

WebViewLayout.get() toggled two settings inside the ReadingFontsPreference
when block: allowFileAccess and allowFileAccessFromFileURLs, both set to
true for the GoogleSans and External preferences.

allowFileAccessFromFileURLs lets scripts running on a file:// page issue
XHR requests against other file:// resources. None of the article HTML
fed to this WebView is a file:// document (it is delivered via
loadDataWithBaseURL or loadUrl on http content), so the flag has no
positive effect for either font mode, and it broadens what a malicious
sub-resource could read if the WebView ever ended up on a file URL.

allowFileAccess for the GoogleSans branch is also unnecessary. The
Google Sans assets are bundled and reached via file:///android_asset/,
which works even when allowFileAccess is left at its default. The
External branch genuinely loads a user-picked font from device storage,
so the flag stays in place there.

Net effect:
  GoogleSans: no behaviour change, two unsafe flags removed
  External:   one unsafe flag removed, file access still permitted
              for the user-chosen font file
---
 .../java/me/ash/reader/ui/component/webview/WebViewLayout.kt   | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/app/src/main/java/me/ash/reader/ui/component/webview/WebViewLayout.kt b/app/src/main/java/me/ash/reader/ui/component/webview/WebViewLayout.kt
index 8b60bc6e1..f742ee67b 100644
--- a/app/src/main/java/me/ash/reader/ui/component/webview/WebViewLayout.kt
+++ b/app/src/main/java/me/ash/reader/ui/component/webview/WebViewLayout.kt
@@ -30,13 +30,10 @@ object WebViewLayout {
                         ReadingFontsPreference.SansSerif -> "sans-serif"
                         ReadingFontsPreference.Serif -> "serif"
                         ReadingFontsPreference.GoogleSans -> {
-                            allowFileAccess = true
-                            allowFileAccessFromFileURLs = true
                             "sans-serif"
                         }
                         ReadingFontsPreference.External -> {
                             allowFileAccess = true
-                            allowFileAccessFromFileURLs = true
                             "sans-serif"
                         }