[GitHub] [cordova-android] erisu commented on pull request #1137: Webviewassetloader

[GitBox <gi...@apache.org>]

erisu commented on pull request #1137:
URL: https://github.com/apache/cordova-android/pull/1137#issuecomment-736431210


   > **Besides that, are there reasons for and against implementing the `WebViewAssetLoader` into cordova-android?**
   
   No reasons against implementing. In fact, it is a must implement feature.
   
   Google has disabled allowing access to `file` by default. Before, in earlier APIs, it was allowed as default. We can re-enable file access with the `setAllowFileAccess` method, which I had already committed in master to fix future issues coming from API 30.
   
   > Enabling this setting allows malicious scripts loaded in a file:// context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, app private data or even credentials used on arbitrary web sites.
   
   Additionally, it is generally discouraged to load from file protocol, hence the reason they disabled this.
   
   Setting the allow file access was back to true was only temporary as I was planning to implement  `WebViewAssetLoader` which was the replacement solution.
   
   Some methods are also begining to be deprecated starting from API 30, for example the `setAllowUniversalAccessFromFileURLs` method was deprecated in API level 30. This setting was not secure, and recommend to use `androidx.webkit.WebViewAssetLoader` to load file content securely. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org