From d93c5289a9ec826057dc69b8b87b38c77b8dbb2a Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 20:16:10 +0200 Subject: [PATCH] Tighten AdvWebView WebView posture AdvWebView.init() turned on three settings that loosen the WebView sandbox more than the forum-client code actually needs: - setMixedContentMode(MIXED_CONTENT_ALWAYS_ALLOW) - setAllowFileAccessFromFileURLs(true) - setAllowUniversalAccessFromFileURLs(true) The HTML rendered into AdvWebView is always built locally by HtmlBuilder / TopicBodyBuilder / QmsHtmlBuilder and either points the WebView at an https://forum-host/forum/ base URL or references bundled resources via file:///android_asset/. The android_asset scheme is permitted regardless of the file flags, so neither FromFileURLs flag is load-bearing for any of the existing call sites. Replace MIXED_CONTENT_ALWAYS_ALLOW with MIXED_CONTENT_COMPATIBILITY_MODE, which keeps passive sub-resources (images, fonts) loading on https forum pages while blocking active mixed content like remote scripts. Remove the two setAllow*FromFileURLs(true) calls. The dev comment on the first one already said 'Maybe you don't need this rule' -- confirmed, neither is needed. setAllowFileAccess(true) is left in place because removing it would require a wider audit of every fragment that constructs an AdvWebView. --- .../slartus/forpdaplus/classes/AdvWebView.java | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/app/src/main/java/org/softeg/slartus/forpdaplus/classes/AdvWebView.java b/app/src/main/java/org/softeg/slartus/forpdaplus/classes/AdvWebView.java index ba7723a9..0a5b4ee7 100755 --- a/app/src/main/java/org/softeg/slartus/forpdaplus/classes/AdvWebView.java +++ b/app/src/main/java/org/softeg/slartus/forpdaplus/classes/AdvWebView.java @@ -58,8 +58,12 @@ public AdvWebView(Context context, AttributeSet attrs, int defStyleAttr, int def private void init() { // gd = new GestureDetector(context, sogl); if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) { - // даём разрешение подгружать несекьюрные ресурсы из assets - getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW); + // даём разрешение подгружать несекьюрные ресурсы из assets. + // COMPATIBILITY_MODE keeps passive sub-resources (images, + // fonts) loading on https forum pages while blocking active + // mixed content like remote scripts. ALWAYS_ALLOW is the + // strictly less safe option in the WebSettings javadoc. + getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE); } getSettings().setJavaScriptEnabled(true); @@ -68,8 +72,13 @@ private void init() { getSettings().setDomStorageEnabled(true); getSettings().setAllowFileAccess(true); getSettings().setCacheMode(WebSettings.LOAD_NO_CACHE); - getSettings().setAllowFileAccessFromFileURLs(true); //Maybe you don't need this rule - getSettings().setAllowUniversalAccessFromFileURLs(true); + // setAllowFileAccessFromFileURLs / setAllowUniversalAccessFromFileURLs + // only take effect when the WebView is rendering a file:// document. + // AdvWebView loads its HTML with loadDataWithBaseURL on an https + // forum base URL and references bundled resources via + // file:///android_asset/, which is permitted regardless. The two + // flags are not needed for any of the existing WebView paths and + // are a known sandbox-escape vector (CWE-200) when left on. if (Build.VERSION.SDK_INT < Build.VERSION_CODES.JELLY_BEAN_MR2) getSettings().setPluginState(WebSettings.PluginState.ON);// для воспроизведения видео