Skip to content

fix(webview): drop allowFileAccessFromFileURLs in reader WebView#1277

Merged
Ashinch merged 1 commit into
ReadYouApp:mainfrom
jim-daf:fix-webview-file-url-access
May 15, 2026
Merged

fix(webview): drop allowFileAccessFromFileURLs in reader WebView#1277
Ashinch merged 1 commit into
ReadYouApp:mainfrom
jim-daf:fix-webview-file-url-access

Conversation

@jim-daf
Copy link
Copy Markdown
Contributor

@jim-daf jim-daf commented May 13, 2026
edited
Loading

Closes #1276.

WebViewLayout.get() enables two WebSettings flags for the GoogleSans and External reading-fonts preferences:

ReadingFontsPreference.GoogleSans -> {
    allowFileAccess = true
    allowFileAccessFromFileURLs = true
    "sans-serif"
}
ReadingFontsPreference.External -> {
    allowFileAccess = true
    allowFileAccessFromFileURLs = true
    "sans-serif"
}

Why this PR removes some of them:

  • allowFileAccessFromFileURLs = true only takes effect on a page whose URL has a file:// scheme, and even then it just lets scripts on that page XHR other file:// resources. The reader WebView is fed via loadDataWithBaseURL and HTTP URLs, not a file URL, so the flag does not change how Google Sans or the user-picked external font is loaded. It is removed in both branches.
  • allowFileAccess = true is not needed for the GoogleSans branch either. Bundled fonts under file:///android_asset/ load even when setAllowFileAccess(false) is in force on every supported Android version, which is the reason Android docs treat android_asset as a special case. The flag is removed there.
  • The External branch genuinely loads a font file the user picked from device storage, so allowFileAccess = true is preserved in that branch.

On minSdk <= 29 (this project ships minSdk = 26) allowFileAccess and allowFileAccessFromFileURLs default to true, so the removal in GoogleSans is effectively a tightening of WebView posture rather than a redundant change on older devices. On API 30+ both flags default to false and the change is a no-op for those devices.

@jim-daf
fix(webview): drop allowFileAccessFromFileURLs and unneeded allowFile…
934be88 
…Access in WebViewLayout

WebViewLayout.get() toggled two settings inside the ReadingFontsPreference
when block: allowFileAccess and allowFileAccessFromFileURLs, both set to
true for the GoogleSans and External preferences.

allowFileAccessFromFileURLs lets scripts running on a file:// page issue
XHR requests against other file:// resources. None of the article HTML
fed to this WebView is a file:// document (it is delivered via
loadDataWithBaseURL or loadUrl on http content), so the flag has no
positive effect for either font mode, and it broadens what a malicious
sub-resource could read if the WebView ever ended up on a file URL.

allowFileAccess for the GoogleSans branch is also unnecessary. The
Google Sans assets are bundled and reached via file:///android_asset/,
which works even when allowFileAccess is left at its default. The
External branch genuinely loads a user-picked font from device storage,
so the flag stays in place there.

Net effect:
  GoogleSans: no behaviour change, two unsafe flags removed
  External:   one unsafe flag removed, file access still permitted
              for the user-chosen font file
@jim-daf jim-daf mentioned this pull request May 13, 2026
Closed
@Ashinch Ashinch merged commit c717893 into ReadYouApp:main May 15, 2026
2 checks passed
@Ashinch
Copy link
Copy Markdown
Member

Ashinch commented May 15, 2026

Sweet, merging this now 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Reader WebView enables allowFileAccessFromFileURLs in two font modes

2 participants

@jim-daf @Ashinch