Disable WebView file access when the image cache is off#1497
Open
jim-daf wants to merge 1 commit into
Open
Conversation
ReadArticleActivity.initWebView turned on setAllowFileAccess(true) only
when the image cache feature is enabled, but it never turned it back
off. On minSdkVersion 23 setAllowFileAccess defaults to true, so a
WebView created on Android 9 or earlier kept file:// access enabled
even when the user had disabled the image cache from settings.
The article WebView already attaches two JavascriptInterface objects
(hostWebViewTextController and hostAnnotationController), so any code
path that loaded a file:// document into this WebView could reach
both bridges from a same-origin file:// page.
Rewrite the conditional to set the flag explicitly each time
initWebView runs, mirroring whether the image cache is on:
boolean needsFileAccess = settings.isImageCacheEnabled();
if (webViewSettings.getAllowFileAccess() != needsFileAccess) {
webViewSettings.setAllowFileAccess(needsFileAccess);
}
Behaviour with image cache enabled is unchanged. With image cache off,
the WebView no longer carries the legacy default-on file access on
pre-API-30 devices.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1496.
ReadArticleActivity.initWebView()already gatessetAllowFileAccess(true)on the image cache being enabled, but the gate is one-directional:It only enables the flag, it never disables it. On
minSdkVersion 23the WebView default forsetAllowFileAccessistrueon Android 9 and below, so a WebView on those versions kept file URL access regardless of whether the user had the image cache turned on. The article WebView also attaches two JS bridges (hostWebViewTextController,hostAnnotationController), which is what makes the lingering flag matter.Change
Make the flag mirror the cache setting explicitly:
Behaviour
loadDataWithBaseURL("file:///android_asset/", ...)(the line that loads the article HTML further down) continues to work because theandroid_assetscheme is permitted regardless of this flag.