fix(whatif): narrow MathJax file-URL access to allowFileAccessFromFileURLs#357
Open
jim-daf wants to merge 1 commit into
Open
fix(whatif): narrow MathJax file-URL access to allowFileAccessFromFileURLs#357jim-daf wants to merge 1 commit into
jim-daf wants to merge 1 commit into
Conversation
…eURLs The WhatIf WebView is loaded via loadDataWithBaseURL with a file:///android_asset/. base URL, so the page lives on a file scheme. allowUniversalAccessFromFileURLs(true) was set with a comment that it was needed for MathJax, but MathJax only needs to XHR other bundled assets, all of which are reached via file://. That is the narrower allowFileAccessFromFileURLs flag. allowUniversalAccessFromFileURLs is the documented CWE-200 broad variant that also lets the file URL page issue cross-origin XHR against any other origin, including app-private content. Swapping to the narrow flag keeps MathJax loading the way it did while removing the cross-origin escape.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #356.
WhatIfActivity.ktsets, with the comment `// These are needed for MathJax`:binding.web.settings.allowFileAccess = truebinding.web.settings.domStorageEnabled = truebinding.web.settings.allowUniversalAccessFromFileURLs = trueThe article is loaded with a
file:///android_asset/.base URL, so the WebView is on afile://origin andallowUniversalAccessFromFileURLsactually takes effect. With it on, any script reachable through the article HTML can issue cross-origin XHR against any origin, including the app's internal storage path served by the WebView's data dir. MathJax only needs to XHR other bundled assets (/extensions/*.js, fonts), which is what the narrowerallowFileAccessFromFileURLsalready covers.Change
Swap the universal flag for the narrow one:
- binding.web.settings.allowUniversalAccessFromFileURLs = true+ binding.web.settings.allowFileAccessFromFileURLs = trueMathJax continues to load because every resource it XHRs lives at `file:///android_asset/`. `allowFileAccess` and DOM storage stay where they are.