From 5ac1e012aee30a7550eeac3590644e16bbd622c9 Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Wed, 30 Nov 2022 10:43:53 -0500
Subject: [PATCH] Java: Mention AssetLoader in WebView file access query
 documentation

---
 .../CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
index f80c9f9a05d..fa4b1e1696f 100644
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
@@ -21,6 +21,11 @@
       <li><code>setAllowFileAccessFromFileURLs</code></li>
       <li><code>setAllowUniversalAccessFromFileURLs</code></li>
     </ul>
+
+    <p>If your application requires access to the file system, it is best to
+    avoid using <code>file://</code> urls, and instead use an alternative that
+    allows loading files via https, such
+    as <code>androidx.webkit.WebViewAssetLoader</code>.</p>
   </recommendation>
 
   <example>
@@ -45,6 +50,9 @@
     <li>
       Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)">WebSettings.setAllowUniversalAccessFromFileURLs</a>.
     </li>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader">WebViewAssetLoader</a>.
+    </li>
   </references>
 
 </qhelp>