I want to run untrusted code (from npm) in a webview, loaded from within the app as described in Load HTML file into WebView . This is because there's js libs that do what I want for a specific activity and reimplenting them in Android native code will be a huge project.
I don't want the code I fetch from npm to be able to leak information to some random server on the internet. Can I disable internet access on a WebView?
I'll do my own app IO via foreign interface calls on the Android object, where I can lock down the attack surface significantly.
