[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Konrad Rosenbaum
konrad at silmor.de
Thu Jan 30 13:26:12 CET 2014
Hi Richard,
On Wednesday, Wednesday 29 January 2014 at 21:25, Richard Moore wrote:
> Sorry but most of this is irrelevant to Qt. Qt applications and QML
> applications are not like Javascript in a browser - they're already
> trusted and not sandboxed at all.
I know a few Qt applications that match exactly the scenario that masking is
supposed to help against, to name just two obvious ones: Konqueror, Snowshoe
A few of my own apps, while not browsers, allow user generated scripts (not
necessarily JavaScript) and allow the scripts some access to HTTP. Some of
those scripts are not fully trusted either - they have severe limits in what
they can do.
> For Qt, we just need to ensure that
> the masking works (ie prevents a non-malicious app accidentally
> triggering a buggy proxy).
I am not overly concerned with QML and scripts programmed by the same people
who did the C++ work. You can't defend against them anyway (except by not
using the app).
I am concerned with user generated content that has access to HTTP and
Websockets in some scripted way.
But I would agree that the percentage of Qt applications for whicht this is
critical is very low and I would not waste too much effort on this for the
initial release. It might even be argued that the effort should be shifted to
apps that actually need secure random by implementing a weak virtual function
and allowing the user to override it.
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140130/dd32d0a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140130/dd32d0a1/attachment.sig>
More information about the Development
mailing list