[Interest] Question about QtWebKit security origins

Dmitry Shachnev mitya57.ml at gmail.com
Tue Apr 7 12:59:30 CEST 2015 

Hi,

I am developer of a Markdown editor (ReText) that uses QtWebKit to show file
previews. It uses the following code to set HTML on the web view:

    webView.setHtml(html, QUrl::fromLocalFile(filePath));

Here, filePath is an absolute path to the Markdown file being edited.
Passing it is needed to make sure QtWebKit can show images given by their
relative paths.

After this call the security context has 'file' as its scheme, so according
to the documentation [1] this is a "local" content, and thus should be unable
to access remote URLs (because QWebSettings::LocalContentCanAccessRemoteUrls
attribute is set to false by default).

However, if I put a script that tries to do an XMLHttpRequest to my remote
server, I see in the server logs that the request succeeds.

Why does that happen? Is there any way to disallow remote requests?
(I would prefer a solution that disallows *any* requests from JS code,
loading an external resource from HTML code is fine for me).

What I have tried:

1) If I do not pass the url to setHtml(), then the security origin scheme is
   an empty string, but remote HTTP requests no longer succeed.

   As I have already said, this is not an option for me, and I have tried this
   just for testing purposes.

2) If I save the HTML to a file and then load that file using

       webView.load(QUrl::fromLocalFile(htmlFilePath));

   Then the first time, scheme is empty (and requests to remote server do not
   succeed). But if I do that call twice, then the second time the scheme
   becomes 'file', and remote requests start succeeding again.

   This behaviour seems strange to me, probably it is a bug in QtWebKit.

I am using Qt 5.4.1 from Debian GNU/Linux experimental repositories.
Unfortunately switching to QtWebEngine is not yet an option for me.

[1]: http://doc.qt.io/qt-5/qwebsecurityorigin.html

--
Dmitry Shachnev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20150407/c63f532e/attachment.sig>

More information about the Interest mailing list