Skip to content

MASWE-0069: WebViews Allows Access to Local Resources

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Placeholder Weakness

This weakness hasn't been created yet and it's a placeholder. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.

Check our GitHub Issues for MASWE-0069

Initial Description or Hints

use of setAllowFileAccessFromFileURLs. Mitigations include setAllowFileAccess(false), setAllowContentAccess(false)

Relevant Topics

  • universal file access
  • restrict content access
  • handlers e.g. file:// vs content://

MASTG v1 Coverage

No MASTG v1 tests are related to this weakness.

Tests

MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews MASTG-TEST-0334: Native Code Exposed Through WebViews MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0376: References to Native Bridge APIs in WebViews MASTG-TEST-0379: References to evaluateJavaScript Without Content World Isolation MASTG-TEST-0378: References to Password Fields in WebView-Loaded HTML MASTG-TEST-0377: References to evaluateJavaScript Used as Bridge Reply in WKScriptMessageHandler MASTG-TEST-0380: References to evaluateJavaScript Writing Sensitive Data into WebView DOM MASTG-TEST-0336: Runtime Setting of Relaxed WebView File Origin Policies MASTG-TEST-0333: Overly Broad File Read Access in WebViews MASTG-TEST-0335: WebView File Origin Access Relaxed by Configuration

Best Practices

MASTG-BEST-0011: Securely Load File Content in a WebView MASTG-BEST-0012: Disable JavaScript in WebViews MASTG-BEST-0013: Disable Content Provider Access in WebViews MASTG-BEST-0049: Restrict and Validate Access to Exported Content Providers MASTG-BEST-0010: Use Up-to-Date minSdkVersion MASTG-BEST-0035: Prefer Origin Scoped Messaging Over Legacy JavaScript Bridges MASTG-BEST-0058: Restrict Native Functionality Exposed Through WebView Bridges MASTG-BEST-0061: Use WKContentWorld Isolation for DOM Inspection Scripts MASTG-BEST-0059: Render Sensitive UI as Native Views Over the WebView MASTG-BEST-0060: Use Native Views for Sensitive Text Entry Over a WebView MASTG-BEST-0062: Use WKScriptMessageHandlerWithReply to Return Data to JavaScript MASTG-BEST-0033: Securely Load File Content in a WebView