[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Richard Moore
rich at kde.org
Thu Jan 30 13:37:58 CET 2014
On 30 January 2014 12:26, Konrad Rosenbaum <konrad at silmor.de> wrote:
> On Wednesday, Wednesday 29 January 2014 at 21:25, Richard Moore wrote:
>
>> Sorry but most of this is irrelevant to Qt. Qt applications and QML
>
>> applications are not like Javascript in a browser - they're already
>
>> trusted and not sandboxed at all.
>
>
>
> I know a few Qt applications that match exactly the scenario that masking is
> supposed to help against, to name just two obvious ones: Konqueror, Snowshoe
Those use webkit which has a separate implementation of websockets.
They do not use this module.
>
> A few of my own apps, while not browsers, allow user generated scripts (not
> necessarily JavaScript) and allow the scripts some access to HTTP. Some of
> those scripts are not fully trusted either - they have severe limits in what
> they can do.
User-generated scripts aren't the problem - those are presumably
trusted (or if they're not then you must have your own sandbox
implementation).
>> For Qt, we just need to ensure that
>> the masking works (ie prevents a non-malicious app accidentally
>> triggering a buggy proxy).
>
> I am not overly concerned with QML and scripts programmed by the same people
> who did the C++ work. You can't defend against them anyway (except by not
> using the app).
>
> I am concerned with user generated content that has access to HTTP and
> Websockets in some scripted way.
Again, only 3rd party untrusted content matters here and for that you
need a sandbox.
>
> But I would agree that the percentage of Qt applications for whicht this is
> critical is very low and I would not waste too much effort on this for the
> initial release. It might even be argued that the effort should be shifted
> to apps that actually need secure random by implementing a weak virtual
> function and allowing the user to override it.
>
Peppe has previously started looking at adding a secure random source
(in addition I provide one in the certificate addon). There are enough
use cases that I think we'll include one in Qt at some point.
Cheers
Rich.
More information about the Development
mailing list