UIWebView is one of the most popular components in Cocoa Touch library. It can be used to easily embed web content into iOS applications and - of course - to equally easily introduce Cross-Site Scripting vulnerabilities.
When loading content into webView on iOS, a programmer can choose one of three methods:
- – loadData:MIMEType:textEncodingName:baseURL:
- – loadHTMLString:baseURL:
- – loadRequest:
Did you notice baseURL in the first two? This inconspicuous parameter is quite important when dealing with XSS.
Alternatively to loading untrusted local file with loadRequest, you may first read its content and then use one of the two remaining methods: loadData or loadHTMLString. Unfortunately, by default UIWebView content is loaded with file/applewebdata privileges. This is where the baseURL comes in handy. Simply set the baseURL to "about:blank" URL and Same Origin Policy will prevent cross-origin access (as it probably should do by default, Apple?).