fix(android): harden canvas webview bridge (#73240)

* fix(android): harden canvas webview bridge * fix(android): make canvas content access hardening explicit * fix(android): keep webview hardening inline for CodeQL * fix(android): avoid webview getter false positive
2026-05-02 14:40:27 +02:00 · 2026-04-27 21:41:01 -07:00
parent 52daf5fbd3
commit 2bce63cb65
2 changed files with 131 additions and 95 deletions
--- a/.github/codeql/codeql-android-critical-security.yml
+++ b/.github/codeql/codeql-android-critical-security.yml
@@ -5,6 +5,11 @@ disable-default-queries: true
 queries:
  - uses: security-extended

+query-filters:
+  # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
+  - exclude:
+      id: java/android/websettings-javascript-enabled
+
 paths:
  - apps/android/app/src/main