WebViews can be used to display web content as part of a mobile application. A browser engine is used to render and display the content. Like a web
application, a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered. In the context of a
WebView, JavaScript code can exfiltrate local files that might be sensitive or even worse, access exposed functions of the application that can result
in more severe vulnerabilities such as code injection. Thus JavaScript support should not be enabled for WebViews unless it is absolutely necessary
and the authenticity of the web resources can be guaranteed.
Ask Yourself Whether
- The WebWiew only renders static web content that does not require JavaScript code to be executed.
- The WebView contains untrusted data that could cause harm when rendered.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to disable JavaScript support for WebViews unless it is necessary to execute JavaScript code. Only trusted pages should be
rendered.
Sensitive Code Example
Using v4 and above of the webview_flutter package:
import 'package:webview_flutter/webview_flutter.dart';
class _WebViewPageState extends State<WebViewPage> {
final WebViewController _controller = WebViewController()
..setJavaScriptMode(JavaScriptMode.unrestricted) // Sensitive
..setBackgroundColor(const Color(0x00000000));
@override
Widget build(BuildContext context) => Scaffold();
}
Using v3 and below of the webview_flutter package:
import 'package:webview_flutter/webview_flutter.dart';
class _WebViewPageState extends State<WebViewPage> {
final WebView _view = WebView(
initialUrl: 'https://example.com',
javascriptMode: JavascriptMode.unrestricted, // Sensitive
);
@override
Widget build(BuildContext context) => Scaffold();
}
Using the flutter_inappwebview package:
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
class _WebViewPageState extends State<WebViewPage> {
final InAppWebViewController _controller = InAppWebViewController("id", _view)
..setOptions(InAppWebViewGroupOptions(
// In flutter_inappwebview, JS is enabled by default
crossPlatform: InAppWebViewOptions(), // Sensitive
));
@override
Widget build(BuildContext context) => Scaffold();
}
Compliant Solution
Using v4 and above of the webview_flutter package:
import 'package:webview_flutter/webview_flutter.dart';
class _WebViewPageState extends State<WebViewPage> {
final WebViewController _controller = WebViewController()
..setBackgroundColor(const Color(0x00000000));
@override
Widget build(BuildContext context) => Scaffold();
Using v3 and below of the webview_flutter package:
import 'package:webview_flutter/webview_flutter.dart';
class _WebViewPageState extends State<WebViewPage> {
final WebView _view = WebView(
initialUrl: 'https://example.com',
);
@override
Widget build(BuildContext context) => Scaffold();
}
Using the flutter_inappwebview package:
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
class _WebViewPageState extends State<WebViewPage> {
final InAppWebViewController _controller = InAppWebViewController("id", _view)
..setOptions(InAppWebViewGroupOptions(
// In flutter_inappwebview, JS is enabled by default
crossPlatform: InAppWebViewOptions(
javaScriptEnabled: false,
),
));
@override
Widget build(BuildContext context) => Scaffold();
}
See
Related rules
- S7409 - Exposing Java objects through JavaScript interfaces is security-sensitive
