[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)

Konrad Rosenbaum konrad at silmor.de
Thu Jan 30 13:26:12 CET 2014


Hi Richard,

On Wednesday, Wednesday 29 January 2014 at 21:25, Richard Moore wrote:
> Sorry but most of this is irrelevant to Qt. Qt applications and QML
> applications are not like Javascript in a browser - they're already
> trusted and not sandboxed at all.

I know a few Qt applications that match exactly the scenario that masking is 
supposed to help against, to name just two obvious ones: Konqueror, Snowshoe

A few of my own apps, while not browsers, allow user generated scripts (not 
necessarily JavaScript) and allow the scripts some access to HTTP. Some of 
those scripts are not fully trusted either - they have severe limits in what 
they can do.

> For Qt, we just need to ensure that
> the masking works (ie prevents a non-malicious app accidentally
> triggering a buggy proxy).

I am not overly concerned with QML and scripts programmed by the same people 
who did the C++ work. You can't defend against them anyway (except by not 
using the app).

I am concerned with user generated content that has access to HTTP and 
Websockets in some scripted way.

But I would agree that the percentage of Qt applications for whicht this is 
critical is very low and I would not waste too much effort on this for the 
initial release. It might even be argued that the effort should be shifted to 
apps that actually need secure random by implementing a weak virtual function 
and allowing the user to override it.



	Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140130/dd32d0a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140130/dd32d0a1/attachment.sig>


More information about the Development mailing list