diff --git a/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java b/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java
index 961765bd..94c62a39 100644
--- a/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java
+++ b/app/src/main/java/com/gianlu/aria2app/webview/WebViewActivity.java
@@ -144,7 +144,13 @@ protected void onCreate(Bundle savedInstanceState) {
 
         WebSettings settings = web.getSettings();
         settings.setJavaScriptEnabled(true);
-        settings.setAllowFileAccess(true);
+        // The WebView is used to browse the web for downloadable links and
+        // hand them off to aria2. shouldInterceptRequest below routes every
+        // request through an OkHttpClient that only handles http and https
+        // (HttpUrl.parse returns null for file:// URIs and the request is
+        // dropped). file:// inputs are not a supported use case here, so
+        // there is no reason to leave the default file-access surface on.
+        settings.setAllowFileAccess(false);
         settings.setDomStorageEnabled(true);
         settings.setDatabaseEnabled(true);