WebView.enableDragAndDrop security vulnerability

[jtara]

WebView.enableDragAndDrop introduces a security vulnerability: it leaks internal URLs when dragging a button, link, etc.

If ios_direct_local_requests = 0, then this negates the security through obscurity of randomizing the server port.

It could be mitigated in an app by not using URLs in the HTML, and using only Javascript callback registrations for navigation.

In general, WebView.enableDragAndDrop seems problematical. It would need to be intelligently enabled/disabled for specific pages and further for specific items on a page.

I suggest watching Cordova, etc. to see what they do about this. It is going to be a problem for WebView-based hybrid platforms, because you do not have effective fine-grain control over page elements.

[dmitrys]

Currently I implemented only disable by customer request. on-time enable/disable required additional resources for this task - we implement it later.

[jtara]

FYI, it appears you can control this within the webview.

See:

https://developer.apple.com/library/content/documentation/AppleApplications/Conceptual/SafariJSProgTopics/DragAndDrop.html

-webkit-user-drag: none CSS on or should disable it. Then you could enable for specific elements with -webkit-user-drag: element or -webkit-user-drag: auto. Or leave enabled and disable links and buttons, etc.