WebViewActivity enables setAllowFileAccess but shouldInterceptRequest only routes http/https through OkHttp

[jim-daf]

app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java configures the in-app browser WebView with:

WebSettings settings = web.getSettings();
settings.setJavaScriptEnabled(true);
settings.setAllowFileAccess(true);
settings.setDomStorageEnabled(true);
settings.setDatabaseEnabled(true);

Every request the WebView makes is then routed through shouldInterceptRequest, which builds an OkHttpClient request via HttpUrl.parse:

private static Request buildRequest(@NonNull WebResourceRequest req) {
    ...
    HttpUrl url = HttpUrl.parse(req.getUrl().toString());
    if (url == null)
        return null;
    ...
}

OkHttp.HttpUrl.parse only accepts http and https. For file:// requests it returns null, buildRequest returns null, and shouldInterceptRequest returns null. The WebView then falls back to its default loader, which is what setAllowFileAccess(true) keeps in scope.

The browser is for finding downloadable web links, so file:// is not a supported user flow. Leaving the flag on is more attack surface than the OkHttp routing actually wants, and CWE-200 maps to the WebView posture.

Suggested fix

Flip setAllowFileAccess(true) to setAllowFileAccess(false). file:///android_asset/* remains available regardless of the flag on every supported Android version, so any future asset path is unaffected.

A PR is open at #390.