CodeQL documentation

Unsafe WebView fetch

ID: swift/unsafe-webview-fetch
Kind: path-problem
Security severity: 6.1
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-079
   - external/cwe/cwe-095
   - external/cwe/cwe-749
Query suites:
   - swift-code-scanning.qls
   - swift-security-extended.qls
   - swift-security-and-quality.qls

Click to see the query in the CodeQL repository

Fetching data in a web view without restricting the base URL may allow an attacker to access sensitive local data, for example using file://. Data can then be extracted from the software using the URL of a machine under the attacker’s control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.


When loading HTML into a web view, always set the baseURL to an appropriate URL that you control, or to about:blank. Do not use nil, as this does not restrict URLs that can be resolved. Also do not use a baseURL that could itself be controlled by an attacker.


In the following example, a call to UIWebView.loadHTMLString has the baseURL set to nil, which does not restrict URLs that can be resolved from within the web page.

let webview = UIWebView()


webview.loadHTMLString(htmlData, baseURL: nil) // BAD

To fix the problem, we set the baseURL to about:blank. This ensures that an attacker cannot resolve URLs that point to the local file system, or to web servers under their control.

let webview = UIWebView()


webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD


  • © GitHub, Inc.
  • Terms
  • Privacy