From ea8d965b67300510a30028f35a11aa1c2dc3cc53 Mon Sep 17 00:00:00 2001 From: dimitris Date: Wed, 13 May 2026 22:44:07 +0200 Subject: [PATCH] Drop setAllowUniversalAccessFromFileURLs in ControlPanelFragment ControlPanelFragment.afterView loads a panel from file:///android_asset/panels//index.html and attaches the ir JS bridge. It used to set both: settings.setAllowFileAccessFromFileURLs(true); settings.setAllowUniversalAccessFromFileURLs(true); The panel scripts (assets/js/Panel.coffee) call $.getJSON on a sibling file:// JSON descriptor (file:///android_asset/panels//*.json). That XHR is file-to-file, so setAllowFileAccessFromFileURLs(true) is needed for the existing panels to load their configuration. setAllowUniversalAccessFromFileURLs(true) is the strictly broader flag: it lets a file:// page XHR ANY origin, not just other file:// resources. The panel JS only ever fetches a sibling .json from android_asset, so this flag is not load-bearing for any existing panel. With the ir JS bridge attached, leaving it on would let an attacker-controlled panel exfiltrate IR command data, app information, or anything else the bridge exposes to a remote host (CWE-200). Drop the universal-access flag. The file-from-file flag stays in place so the existing JSON loading keeps working. --- .../timnew/smartremotecontrol/ControlPanelFragment.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java b/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java index ac20105..00e4443 100644 --- a/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java +++ b/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java @@ -43,8 +43,12 @@ protected void afterView() { WebSettings settings = panel.getSettings(); settings.setJavaScriptEnabled(true); settings.setAllowContentAccess(true); + // Panel JS calls $.getJSON on a sibling file:// JSON file under + // file:///android_asset/panels//, which needs file-from-file + // XHR. allowUniversalAccessFromFileURLs is not needed because the + // panel never XHRs an http or https origin, and on minSdk it + // would let any panel exfiltrate to any host. settings.setAllowFileAccessFromFileURLs(true); - settings.setAllowUniversalAccessFromFileURLs(true); panel.addJavascriptInterface(emitter, "ir"); panel.setWebViewClient(new WebViewClient() {