!deprecation/security: remove setAcceptFileSchemeCookies

david-allison · criticalAY · commit d0d41f93360a · 2026-04-08T06:49:50.000Z
**Breaking change (security)**. Cards can no longer set or read `document.cookie` from file:// origins. I chose `CookieManager.getInstance()` to reduce code churn. `getWebViewPackage` is an alternative. **Deprecation: API 30** This setting is not secure, please use androidx.webkit.WebViewAssetLoader instead. Assisted-by: Claude Opus 4.6 - research Fixes 19863 ---- https://chromium.googlesource.com/chromium/src/+/refs/heads/main/android_webview/browser/cookie_manager.cc#867 https://chromium.googlesource.com/chromium/src/+/refs/heads/main/android_webview/glue/java/src/com/android/webview/chromium/CookieManagerAdapter.java
diff --git a/AnkiDroid/src/main/java/com/ichi2/anki/AnkiDroidApp.kt b/AnkiDroid/src/main/java/com/ichi2/anki/AnkiDroidApp.kt
@@ -190,8 +190,8 @@ open class AnkiDroidApp :
 
         makeBackendUsable(this)
 
-        // Configure WebView to allow file scheme pages to access cookies.
-        if (!acceptFileSchemeCookies()) {
+        // Probe WebView availability before any other init touches it (#5794).
+        if (!checkWebViewAvailable()) {
             return
         }
 
@@ -331,18 +331,20 @@ open class AnkiDroidApp :
         notifications.postValue(null)
     }
 
-    @Suppress("deprecation") // 7109: setAcceptFileSchemeCookies
-    protected fun acceptFileSchemeCookies(): Boolean =
+    /**
+     * Checks that [android.webkit.WebView] is usable.
+     */
+    protected fun checkWebViewAvailable(): Boolean =
         try {
-            CookieManager.setAcceptFileSchemeCookies(true)
+            CookieManager.getInstance()
             true
         } catch (e: Throwable) {
             // 5794: Errors occur if the WebView fails to load
             // android.webkit.WebViewFactory.MissingWebViewPackageException.MissingWebViewPackageException
             // Error may be excessive, but I expect a UnsatisfiedLinkError to be possible here.
             fatalInitializationError = FatalInitializationError.WebViewError(e)
-            sendExceptionReport(e, "setAcceptFileSchemeCookies")
-            Timber.e(e, "setAcceptFileSchemeCookies")
+            sendExceptionReport(e, "checkWebViewAvailable")
+            Timber.e(e, "checkWebViewAvailable")
             false
         }
 
