Skip to content

MASTG-BEST-0011: Securely Load File Content in a WebView

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

The recommended approach to load file content to a WebView securely is to use WebViewClient with WebViewAssetLoader to load assets from the app's assets or resources directory using https:// URLs instead of insecure file:// URLs. This ensures the content is loaded in a secure, same-origin environment and avoids exposing local files to potential cross-origin attacks.

If you must allow the WebView to load local files using the file:// scheme, consider the following:

  • For apps with a minSdkVersion that has secure defaults for WebView file access methods, ensure that these methods are not used and the default values are preserved. Alternatively, explicitly set them to false to guarantee the WebView does not allow local file access:

    • setAllowFileAccess(false)
    • setAllowFileAccessFromFileURLs(false)
    • setAllowUniversalAccessFromFileURLs(false)

  • For apps with a minSdkVersion that does not have secure defaults for these methods (e.g., older API levels), ensure that the above methods are explicitly set to false in your WebView configuration.

For more details, refer to the official Android documentation on loading local content securely, especially the section on "Things to avoid".

Tests

MASTG-TEST-0x33: References to Local File Access in WebViews MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews