diff options
| author | Hazem Ashmawy <hazems@google.com> | 2020-02-14 16:27:38 +0000 |
|---|---|---|
| committer | Hazem Ashmawy <hazems@google.com> | 2020-02-26 12:26:36 +0000 |
| commit | ee824f006b69ece79ec261ca93bc47f1c195c399 (patch) | |
| tree | 1a94e1e4f864a65e22b8d6a16c09b832d4189df8 /core/java/android | |
| parent | 44a56296cb84ad77d4f0f766485cff230ea06a80 (diff) | |
WebView: Update setAllowFileAccess doc to reflect new default value
Update setAllowFileAccess java docs to reflect that it's now disabled by
default after merging crrev.com/c/2056824. Also add a note to use
androidx WebViewAssetLoader instead.
Bug: 148840827
Test: m offline-sdk-docs -j20
Change-Id: I15866ab63818771fd91f40828846d6b4c39d278e
(cherry picked from commit 47a4c2da51e9ffc3cdc71951c7aa927b492e0797)
Diffstat (limited to 'core/java/android')
| -rw-r--r-- | core/java/android/webkit/WebSettings.java | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/core/java/android/webkit/WebSettings.java b/core/java/android/webkit/WebSettings.java index 2d27a789ebcb..53541f786da0 100644 --- a/core/java/android/webkit/WebSettings.java +++ b/core/java/android/webkit/WebSettings.java @@ -369,10 +369,22 @@ public abstract class WebSettings { public abstract boolean getDisplayZoomControls(); /** - * Enables or disables file access within WebView. File access is enabled by - * default. Note that this enables or disables file system access only. - * Assets and resources are still accessible using file:///android_asset and - * file:///android_res. + * Enables or disables file access within WebView. + * Note that this enables or disables file system access only. Assets and resources + * are still accessible using file:///android_asset and file:///android_res. + * <p class="note"> + * <b>Note:</b> Apps should not open {@code file://} URLs from any external source in + * WebView, don't enable this if your app accepts arbitrary URLs from external sources. + * It's recommended to always use + * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader"> + * androidx.webkit.WebViewAssetLoader</a> to access files including assets and resources over + * {@code http(s)://} schemes, instead of {@code file://} URLs. To prevent possible security + * issues targeting {@link android.os.Build.VERSION_CODES#Q} and earlier, you should explicitly + * set this value to {@code false}. + * <p> + * The default value is {@code true} for apps targeting + * {@link android.os.Build.VERSION_CODES#Q} and below, and {@code false} when targeting + * {@link android.os.Build.VERSION_CODES#R} and above. */ public abstract void setAllowFileAccess(boolean allow); |