From e929fed771b3b7ebb98fe95dd332011334c1e779 Mon Sep 17 00:00:00 2001
From: jinliu9508 <jinliu9508@gmail.com>
Date: Thu, 9 Oct 2025 15:26:27 -0400
Subject: [PATCH 1/2] add: security hardening around webview javaScriptEnabled

---
 .../internal/display/impl/WebViewManager.kt        | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt b/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
index e2054ac49d..319b3184db 100644
--- a/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
+++ b/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
@@ -5,6 +5,7 @@ import android.app.Activity
 import android.os.Build
 import android.view.View
 import android.webkit.JavascriptInterface
+import android.webkit.WebSettings
 import android.webkit.WebView
 import com.onesignal.common.AndroidUtils
 import com.onesignal.common.ViewUtils
@@ -299,7 +300,6 @@ internal class WebViewManager(
         }
     }
 
-    @SuppressLint("SetJavaScriptEnabled", "AddJavascriptInterface")
     suspend fun setupWebView(
         currentActivity: Activity,
         base64Message: String,
@@ -310,7 +310,7 @@ internal class WebViewManager(
         webView!!.overScrollMode = View.OVER_SCROLL_NEVER
         webView!!.isVerticalScrollBarEnabled = false
         webView!!.isHorizontalScrollBarEnabled = false
-        webView!!.settings.javaScriptEnabled = true
+        secureSetup(webView!!)
 
         // Setup receiver for page events / data from JS
         webView!!.addJavascriptInterface(OSJavaScriptInterface(), JS_OBJ_NAME)
@@ -329,6 +329,16 @@ internal class WebViewManager(
         webView!!.loadData(base64Message, "text/html; charset=utf-8", "base64")
     }
 
+    @SuppressLint("SetJavaScriptEnabled")
+    fun secureSetup(webView: WebView) =
+        with(webView.settings) {
+            javaScriptEnabled = true
+            allowFileAccess = false
+            allowFileAccessFromFileURLs = false
+            allowUniversalAccessFromFileURLs = false
+            mixedContentMode = WebSettings.MIXED_CONTENT_NEVER_ALLOW
+        }
+
     // This sets the WebView view port sizes to the max screen sizes so the initialize
     //   max content height can be calculated.
     // A render complete or resize event will fire from JS to tell Java it's height and will then display

From 2398782919dfb8df2518c9a2471b32a3e304de7a Mon Sep 17 00:00:00 2001
From: jinliu9508 <jinliu9508@gmail.com>
Date: Thu, 16 Oct 2025 13:17:27 -0400
Subject: [PATCH 2/2] add a comment explaining the security measure

---
 .../internal/display/impl/WebViewManager.kt     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt b/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
index 319b3184db..a195b56d78 100644
--- a/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
+++ b/OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt
@@ -329,6 +329,23 @@ internal class WebViewManager(
         webView!!.loadData(base64Message, "text/html; charset=utf-8", "base64")
     }
 
+    /**
+     * Applies security hardening to the WebView to prevent common vulnerabilities.
+     *
+     * Security measures:
+     * - JavaScript is enabled for IAM functionality but file access is completely blocked
+     * - Prevents file:// URL access to mitigate local file inclusion attacks
+     * - Blocks cross-origin access from file URLs to prevent data exfiltration
+     * - Disables mixed content (HTTP resources on HTTPS pages) to prevent MITM attacks
+     *
+     * This configuration protects against:
+     * 1. Malicious JavaScript accessing local device files
+     * 2. Cross-site scripting (XSS) attacks via file:// protocol
+     * 3. Man-in-the-middle attacks via downgraded HTTP content
+     *
+     * @SuppressLint is used because JavaScript is required for IAM functionality,
+     * but we mitigate the risk through strict file access controls.
+     */
     @SuppressLint("SetJavaScriptEnabled")
     fun secureSetup(webView: WebView) =
         with(webView.settings) {