On the one hand, I can see why this would get flagged by a security audit, because it opens the risk of 3rd party sites/scripts having uncontrolled access to the filesystem. On the other hand, changing this preference will break the most common Cordova use case, where files are served from the app bundle instead of from a remote URL.
We could add a preference for this, but it would need a bunch of documentation to explain that it only affects Android, and to explain clearly what it does and when you might need to enable it. A lot of apps would break if people just turned it on as "good security practice" without understanding the implications. On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services) <prestataire.stephane.maley...@ca-titres.fr> wrote: > > Hello all, > > Thanks for your answers. > > I understand that new features will be only available on master release, with > no back port. > I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on > cordova-android 7.x : > https://github.com/fechanique/cordova-plugin-fcm/issues/470 > https://github.com/fechanique/cordova-plugin-fcm/issues/535 > > About the security issue : > I found an exemple here: > https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/ > It's about loadUrl of file:// type url > In Cordova plugin whitelist doc, it alwayse accept any type of file://url ... > So, it doesn't seems to solve the issue. > > We've tried to make a plugin to change it, but it doesn't work, seems to be > too late in the process. > For now, we plan to make a private fork of cordova-android-plugin to add the > line « settings.setAllowFileAccess(false);» here : > https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 > > About this idea, more generally, it'd be usefull to configure any WebSettings > of the WebView, and not only the allowFileAccess attribute... > Maybe, it could be possible by java reflection, using a config file > containing attributes names and theirs value ? > I will send a new email/thread for this. > > Thanks again. > > Stéphane > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
