add: security hardening around webview javaScriptEnabled

Author: jinliu9508

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt

@@ -5,6 +5,7 @@ import android.app.Activity
 import android.os.Build
 import android.view.View
 import android.webkit.JavascriptInterface
+import android.webkit.WebSettings
 import android.webkit.WebView
 import com.onesignal.common.AndroidUtils
 import com.onesignal.common.ViewUtils
@@ -299,7 +300,6 @@ internal class WebViewManager(
         }
     }
 
-    @SuppressLint("SetJavaScriptEnabled", "AddJavascriptInterface")
     suspend fun setupWebView(
         currentActivity: Activity,
         base64Message: String,
@@ -310,7 +310,7 @@ internal class WebViewManager(
         webView!!.overScrollMode = View.OVER_SCROLL_NEVER
         webView!!.isVerticalScrollBarEnabled = false
         webView!!.isHorizontalScrollBarEnabled = false
-        webView!!.settings.javaScriptEnabled = true
+        secureSetup(webView!!)
 
         // Setup receiver for page events / data from JS
         webView!!.addJavascriptInterface(OSJavaScriptInterface(), JS_OBJ_NAME)
@@ -329,6 +329,15 @@ internal class WebViewManager(
         webView!!.loadData(base64Message, "text/html; charset=utf-8", "base64")
     }
 
+    @SuppressLint("SetJavaScriptEnabled")
+    fun secureSetup(webView: WebView) = with(webView.settings) {
+        javaScriptEnabled = true
+        allowFileAccess = false
+        allowFileAccessFromFileURLs = false
+        allowUniversalAccessFromFileURLs = false
+        mixedContentMode = WebSettings.MIXED_CONTENT_NEVER_ALLOW
+    }
+
     // This sets the WebView view port sizes to the max screen sizes so the initialize
     //   max content height can be calculated.
     // A render complete or resize event will fire from JS to tell Java it's height and will then display