Security Advisory CVE-2020-6506
Vulnerability detail: https://nvd.nist.gov/vuln/detail/CVE-2020-6506
For users of the outdated Android WebView, Capacitor apps loading third party content in iframes or directly in the web view are only vulnerable if precautions are not taken. We are currently exploring a solution to help mitigate the vulnerability. We recommend taking the following precautions if your application may be vulnerable:
Capacitor configuration (
The best line of defense is to only allow first-party trusted content in the web view.
- Do not modify the server.url to a third party or untrusted website.
- Do not add untrusted websites to server.allowNavigation.
It is recommended that apps behaving as a web browser use the Browser plugin.
Care should be taken when using iframes in your application. If you need to include an iframe in your page, make sure the content is from a trusted source.
The vulnerability can be mitigated by using the sandbox attribute. Using an empty value is the most restrictive configuration that will prevent an attack.
<iframe sandbox="" src="https://example.com/risky.html"></iframe>
Caution: tokens can be added to the sandbox attribute to lift certain restrictions, however some configurations will cause an app to remain vulnerable, such as
“allow-popups allow-top-navigation allow-scripts”.
More information about the vulnerability can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 and https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/. Many thanks to Alesandro Ortiz for bringing this to our attention.