Commit c89b57f
authored
security(webview): lock down the dashboard WebView (#54)
The Clash/yacd dashboard WebView loads a user-editable URL (DataStore.yacdURL) with
JavaScript + DOM storage enabled (the yacd SPA requires both). Everything else is now
explicitly locked down so that page can never read the device filesystem or content
providers, escalate from file:// origins, downgrade to cleartext on an https page, or
spawn JS popups:
- allowFileAccess = false
- allowContentAccess = false
- allowFileAccessFromFileURLs = false
- allowUniversalAccessFromFileURLs = false
- mixedContentMode = MIXED_CONTENT_NEVER_ALLOW
- javaScriptCanOpenWindowsAutomatically = false; setSupportMultipleWindows(false)
Verified on-device: the yacd dashboard (MetaCubeX/yacd 0.3.6) still loads and runs from
http://127.0.0.1:9090/ui — no access-denied / mixed-content errors.1 parent 49d0283 commit c89b57f
1 file changed
Lines changed: 19 additions & 2 deletions
Lines changed: 19 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
39 | | - | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
40 | 57 | | |
41 | 58 | | |
42 | 59 | | |
| |||
0 commit comments