Swift : WebView Misconfiguration
Classification
OWASP MASVS V6: 6.6.(L1/L2/L1+R/L2+R)Overview
WebView is not configured with support for a minimum set of protocols (ideally https
only). Support for potentially dangerous URL schemes (such as: file
, tel
and app-id
) is not disabled.
Several default schemes are available for WebView interpretation on iOS, for example: * http(s):// * file://
WebView can load remote content from an endpoint, but they can also load local content from the app data directory. If the local content is loaded, the user shouldn’t be able to influence the filename or the path used to load the file, and users shouldn’t be able to edit the loaded file. Thus, it is recommended to use other methods for loading local files or take recommended precautions.