[Development] Another method of registering QML types
Richard Moore
rich at kde.org
Thu Nov 8 23:15:52 CET 2012
On 8 November 2012 21:17, Alan Alpert <416365416c at gmail.com> wrote:
> On Thu, Nov 8, 2012 at 12:49 PM, BRM <bm_witness at yahoo.com> wrote:
>>> From: Alan Alpert <416365416c at gmail.com>
> If you have a http://remote/Image.qml with code like Image { source:
> "graphic.png" } the png will be fetched transparently.
>
>> [1] Yes, I realize that it would enable some on-the-fly stuff that might generate some security concerns. I would suggest that be documented so that users know they have to load appropriately trusted materials if we did that. They could just as easily write it to a temp file and load the temp file using the regular API too.
>
> That is the current alternative. You can do the exact same thing by
> writing out a temporary qmldir file to disk - it's just that I think
> that approach is horrible and unnecessary. (This is actually more of a
> security risk, because you could be overwriting the qmldir files for
> other imports, like "." ).
Loading code on the fly from a remote location like this without
enforcing HTTPS etc. is just plain crazy. I'd strongly suggest that it
be disabled by default if that's actually possible now.
Rich.
More information about the Development
mailing list