Skyscape Webview [upd] Review

| Component | Recommendation | |-----------|----------------| | | Android (WebView), iOS (WKWebView), or Windows (WebView2) | | Authentication | SAML, OAuth2, or mTLS (client certificates) | | Networking | Forced through Skyscape’s outbound proxy (no direct internet) | | SSL/TLS | Must use government-approved ciphers; self-signed certs not allowed | | Cookie Mgmt | SameSite strict; secure & HttpOnly flags enforced |

webView.settings.apply javaScriptEnabled = true domStorageEnabled = true mixedContentMode = MIXED_CONTENT_NEVER_ALLOW setSupportZoom(false) skyscape webview

// Inject client certificate if required webView.setCertificate(clientCert) skyscape webview

| Restriction | Why | |-------------|------| | | Prevents local file exfiltration | | Remote debugging disabled in production | Avoids JS injection via USB | | Cache disabled | Sensitive data should not persist on device | | URL whitelist only | Blocks phishing or malicious redirects | | JavaScript ↔ Native bridge limited | Prevent RCE via addJavascriptInterface() | skyscape webview