You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2020/12/01 11:10:30 UTC

[GitHub] [cordova-android] erisu edited a comment on pull request #1137: Webviewassetloader

erisu edited a comment on pull request #1137:
URL: https://github.com/apache/cordova-android/pull/1137#issuecomment-736431210


   > **Besides that, are there reasons for and against implementing the `WebViewAssetLoader` into cordova-android?**
   
   No reasons against implementing. In fact, it is a must implement feature.
   
   Google has disabled allowing access to `file` by default. Before, in earlier APIs, it was allowed as default. We can re-enable file access with the `setAllowFileAccess` method, which I had already committed in master to fix future issues coming from API 30.
   
   > Enabling this setting allows malicious scripts loaded in a file:// context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, app private data or even credentials used on arbitrary web sites.
   
   Additionally, it is generally discouraged to load from file protocol, hence the reason they disabled this.
   
   Setting the file access back to true was only a quick temporary fix. I was already planning to implement the  `WebViewAssetLoader`, which is the replacement solution.
   
   Some methods are also begining to be deprecated starting from API 30, for example the `setAllowUniversalAccessFromFileURLs` method was deprecated in API level 30. This setting was not secure, and recommend to use `androidx.webkit.WebViewAssetLoader` to load file content securely. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org