From 22b5ba8c0140c4c675cdf5093514083a475cd7b4 Mon Sep 17 00:00:00 2001 From: Joe Fernandez Date: Wed, 22 Apr 2015 17:29:12 -0700 Subject: docs: Add text to JavaDocs regarding browser file access vulnerability b/17420682 Change-Id: Ic03b51778280570be65ae933fd906b140acdf023 --- core/java/android/webkit/WebSettings.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'core/java/android/webkit/WebSettings.java') diff --git a/core/java/android/webkit/WebSettings.java b/core/java/android/webkit/WebSettings.java index 1d2c311..ef9aaf1 100644 --- a/core/java/android/webkit/WebSettings.java +++ b/core/java/android/webkit/WebSettings.java @@ -900,7 +900,9 @@ public abstract class WebSettings { * and therefore secure policy, this setting should be disabled. * Note that this setting affects only JavaScript access to file scheme * resources. Other access to such resources, for example, from image HTML - * elements, is unaffected. + * elements, is unaffected. To prevent possible violation of same domain policy + * on {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH} and earlier + * devices, you should explicitly set this value to {@code false}. *

* The default value is true for API level * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, @@ -920,7 +922,9 @@ public abstract class WebSettings { * the value of {@link #getAllowUniversalAccessFromFileURLs} is true. * Note too, that this setting affects only JavaScript access to file scheme * resources. Other access to such resources, for example, from image HTML - * elements, is unaffected. + * elements, is unaffected. To prevent possible violation of same domain policy + * on {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH} and earlier + * devices, you should explicitly set this value to {@code false}. *

* The default value is true for API level * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, -- cgit v1.1