Granting file access to WebViews, particularly through the file:// scheme, introduces a risk of local file inclusion vulnerabilities.
The severity of this risk depends heavily on the specific settings configured for the WebView. Overly permissive settings can allow malicious scripts
to access a wide range of local files, potentially exposing sensitive data such as Personally Identifiable Information (PII) or private application
data, leading to data breaches and other security compromises.
Ask Yourself Whether
- You open files that may be created or altered by external sources.
- You open arbitrary URLs from external sources.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
Avoid opening file:// URLs from external sources in WebView components. If your application accepts arbitrary URLs from external
sources, do not enable this functionality.
On Android, it is recommended to use androidx.webkit.WebViewAssetLoader to access files, including assets and resources, via a custom,
controllable scheme.
On iOS, it is recommended to use Bundles to access local files, keeping access limited a controlled subset using the
allowingReadAccessTo parameter of the loadFileURL method. If allowFileAccessFromFileURLs and
allowUniversalAccessFromFileURLs are not enabled, it is not possible to access files outside the intended directory. It is also possible
to create a custom scheme to access local files, but this is more complex and might lead to unintended security issues.
For enhanced security, ensure that the options to load file:// URLs are explicitly set to false.
Sensitive Code Example
The following code enables the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs preferences.
allowFileAccessFromFileURLs is a sensitive preference that allows JavaScript running from the file:// scheme to access
other files in the app’s sandbox, even if they were not intended to be accessible.
For example, only the www directory is made accessible in the code below, but JavaScript can still access other files in the app’s
sandbox due to the allowFileAccessFromFileURLs enabled.
allowUniversalAccessFromFileURLs is a sensitive preference that goes even further, removing the same-origin security policy in
general, for both local and remote files.
import WebKit
let webView = WKWebView()
webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs") // Sensitive
webView.configuration.setValue(true, forKey: "allowUniversalAccessFromFileURLs") // Sensitive
if let url = Bundle.main.url(forResource: "index", withExtension: "html", subdirectory: "www") {
webView.loadFileURL(url, allowingReadAccessTo: url.deletingLastPathComponent())
}
Compliant Solution
By not enabling the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs preferences, only files in the
www directory are accessible to the WKWebView. It is important that this directory does not contain any sensitive files.
import WebKit
let webView = WKWebView()
if let url = Bundle.main.url(forResource: "index", withExtension: "html", subdirectory: "www") {
webView.loadFileURL(url, allowingReadAccessTo: url.deletingLastPathComponent())
}
See
