From 7bea49896c286381ec0642769a82e117d93bbbf6 Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 23:55:33 +0200 Subject: [PATCH] Disable setAllowFileAccess in WebViewActivity WebViewActivity hosts the in-app browser that lets the user surf to download links and hand them off to aria2. setAllowFileAccess(true) was on, even though every request from the WebView is routed through the WebViewClient.shouldInterceptRequest below, which builds an OkHttpClient request via HttpUrl.parse: private static Request buildRequest(@NonNull WebResourceRequest req) { ... HttpUrl url = HttpUrl.parse(req.getUrl().toString()); if (url == null) return null; ... } OkHttp only accepts http and https. HttpUrl.parse returns null for file:// URIs, so the existing interception path silently drops them on the OkHttp side. With setAllowFileAccess(false), WebView itself also refuses to load file:// URLs at the main-frame level, so the two layers agree. file:///android_asset/* remains available on every supported Android version, so any bundled-asset code path is unaffected. Assisted-by: Claude (Anthropic) --- .../java/com/gianlu/aria2app/webview/WebViewActivity.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java b/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java index 961765bd..94c62a39 100644 --- a/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java +++ b/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java @@ -144,7 +144,13 @@ protected void onCreate(Bundle savedInstanceState) { WebSettings settings = web.getSettings(); settings.setJavaScriptEnabled(true); - settings.setAllowFileAccess(true); + // The WebView is used to browse the web for downloadable links and + // hand them off to aria2. shouldInterceptRequest below routes every + // request through an OkHttpClient that only handles http and https + // (HttpUrl.parse returns null for file:// URIs and the request is + // dropped). file:// inputs are not a supported use case here, so + // there is no reason to leave the default file-access surface on. + settings.setAllowFileAccess(false); settings.setDomStorageEnabled(true); settings.setDatabaseEnabled(true);