Java: Mention AssetLoader in WebView file access query documentation

egregius313 · egregius313 · commit 5ac1e012aee3 · 2022-11-30T10:43:53.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
@@ -21,6 +21,11 @@
       <li><code>setAllowFileAccessFromFileURLs</code></li>
       <li><code>setAllowUniversalAccessFromFileURLs</code></li>
     </ul>
+
+    <p>If your application requires access to the file system, it is best to
+    avoid using <code>file://</code> urls, and instead use an alternative that
+    allows loading files via https, such
+    as <code>androidx.webkit.WebViewAssetLoader</code>.</p>
   </recommendation>
 
   <example>
@@ -45,6 +50,9 @@
     <li>
       Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)">WebSettings.setAllowUniversalAccessFromFileURLs</a>.
     </li>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader">WebViewAssetLoader</a>.
+    </li>
   </references>
 
 </qhelp>
