diff --git a/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java b/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java
index ac20105..00e4443 100644
--- a/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java
+++ b/SmartRemoteControl/src/main/java/com/github/timnew/smartremotecontrol/ControlPanelFragment.java
@@ -43,8 +43,12 @@ protected void afterView() {
         WebSettings settings = panel.getSettings();
         settings.setJavaScriptEnabled(true);
         settings.setAllowContentAccess(true);
+        // Panel JS calls $.getJSON on a sibling file:// JSON file under
+        // file:///android_asset/panels/<name>/, which needs file-from-file
+        // XHR. allowUniversalAccessFromFileURLs is not needed because the
+        // panel never XHRs an http or https origin, and on minSdk it
+        // would let any panel exfiltrate to any host.
         settings.setAllowFileAccessFromFileURLs(true);
-        settings.setAllowUniversalAccessFromFileURLs(true);
 
         panel.addJavascriptInterface(emitter, "ir");
         panel.setWebViewClient(new WebViewClient() {