Hi there, I am running the Android Lint on an application and was prompted the following finding: Using setJavaScriptEnabled() can introduce XSS vulnerabilities into your application, review carefully.
It seems that this is simply a flag to tell whether the WebView component to execute Javascript or not. And sounds like that this rule is trying to propose the security best practice that the unnecessary features (especially those potentially harmful ones) should be turned off. >From the developer guide ( http://developer.android.com/guide/practices/security.html#DynamicCode), it was said that "improper use can introduce common web security issues such as XSS". So my questions are: 1. Does the WebView has security context like other browsers for executing javascripts e.g. making XmlHttpRequests, access cookies, loading page content and etc? 2. Can anyone briefly describe an example of XSS if Javascript is enabled? Is that just like ordinary XSS attacks on PC browsers? I would like to see if there are any other controls that save the application from be XSS-ed 3. If the application really needs to execute javascript in the WebView component, are there any things that the developer can do to further protect the application from XSS, rather than simply ignoring this Lint rule and suppress the warnings? many thanks! -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/o3h8ggdUE5YJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
