Android WebView JavaScript settings
Pathfinder supports querying for Android WebView JavaScript settings in the source code. Enabling this setting can
result in cross-site scripting attacks.
Query Syntax CWE-079
setJavaScriptEnabled Webview API
* @name Android WebView JavaScript settings
* @description Enabling JavaScript execution in a WebView can result in cross-site scripting attacks.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation AS mi WHERE mi . getName () == " setJavaScriptEnabled " && " true " in mi . getArgumentName ()
setAllowUniversalAccessFromFileURLs Webview API
* @name Android WebView JavaScript settings
* @description Enabling SetAllowUniversalAccessFromFileURLs leak s&&box access to file:/// URLs from any origin.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation AS mi WHERE mi . getName () == " setAllowUniversalAccessFromFileURLs " && " true " in mi . getArgumentName ()
setAllowFileAccessFromFileURLs Webview API
* @name Android WebView JavaScript settings
* @description Enabling setAllowFileAccessFromFileURLs leak s&&box access to file:/// URLs.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation AS mi WHERE mi . getName () == " setAllowFileAccessFromFileURLs " && " true " in mi . getArgumentName ()
setAllowContentAccess Webview API
* @name Android WebView JavaScript settings
* @description Enabling setAllowContentAccess enables content:// access from webpages.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation WHERE mi . getName () == " setAllowContentAccess " && " true " in mi . getArgumentName ()
setAllowFileAccess Webview API
* @name Android WebView JavaScript settings
* @description Enabling setAllowFileAccess enables webview access to file:/// URLs.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation AS mi WHERE mi . getName () == " setAllowFileAccess " && " true " in mi . getArgumentName ()
addJavascriptInterface Webview API
* @name Android WebView JavaScript settings
* @description Enabling addJavascriptInterface exposes java methods to JavaScript.
* @id java/Android/webview-javascript-enabled
* @problem.severity warning
FIND method_invocation AS mi WHERE mi . getName () == " addJavascriptInterface "