Disable setAllowFileAccess in WebViewActivity#390
Open
jim-daf wants to merge 1 commit into
Open
Conversation
WebViewActivity hosts the in-app browser that lets the user surf to
download links and hand them off to aria2. setAllowFileAccess(true)
was on, even though every request from the WebView is routed through
the WebViewClient.shouldInterceptRequest below, which builds an
OkHttpClient request via HttpUrl.parse:
private static Request buildRequest(@nonnull WebResourceRequest req) {
...
HttpUrl url = HttpUrl.parse(req.getUrl().toString());
if (url == null)
return null;
...
}
OkHttp only accepts http and https. HttpUrl.parse returns null for
file:// URIs, so the existing interception path silently drops them
on the OkHttp side. With setAllowFileAccess(false), WebView itself
also refuses to load file:// URLs at the main-frame level, so the
two layers agree.
file:///android_asset/* remains available on every supported
Android version, so any bundled-asset code path is unaffected.
Assisted-by: Claude (Anthropic)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #389.
WebViewActivityhosts the in-app browser used to find downloadable links and hand them off to aria2.setAllowFileAccess(true)is on while every request the WebView makes is routed throughshouldInterceptRequest:OkHttp.HttpUrl.parseonly accepts http and https.file://URIs cause it to returnnull,buildRequestreturnsnull, and the OkHttp routing silently drops them. The browser is for web download links, sofile://is not a supported user flow.Change
Flip
setAllowFileAccess(true)tosetAllowFileAccess(false)so the WebView and the OkHttp interceptor agree on the same scheme allow-list.file:///android_asset/*remains available on every supported Android version regardless of the flag.One-line semantic change. No other WebView setting touched.