[Qt-qml] Qml and security

[henrik.hartz at nokia.com]

Hi Tim,

On Apr 23, 2010, at 11:37 AM, ext Tim Beaulen wrote:

> I would like to use QML in my program is such a way that users can
> create costum "themes".
> But because it's possible to use javascript in QML files, I think I
> can not provide the users of my program with the necessary security.
> My program makes a connection with a service provider and most of the
> time it requires a password. Wouldn't it be easy to create a QML file
> that sends the password and username to anywhere one wants?
> 
> In other words, is it possible now, or in the future, to disable
> scripts in QML files? For example a
> QDeclarativeEngine::disableScripts() function?
> Otherwise I need to screen each and every QML file before posting it
> to a central trusted repository. Of course, this would not be too much
> work as I don't expect too many of them. But what worries me is that
> these files can be downloaded everywhere, without my control.
> 
> Can anyone share some experience please?

At the moment we do not enforce any security measures in QML, outside what you can do with QNetworkAccessManager (i.e. https). The best strategy here is to use a trust-mechanism.

Regarding disabling scripts, I doubt this is the right approach to solving the challenge outlined. In QML, all rvalues can be JavaScript expressions, so this would effectively limit your QML to use constant values. With this in mind, I think it should be sufficient for you to express your 'themes' as QML items that expose a set of properties. In your App QML you then bind various aspects of your UI to an instance of this theme, e.g. properties like titleBarColor. When you instantiate a different theme with the same properties, the change emits a NOTIFY and ensures that your 'theme' changes are applied where the property is used.

Cheers,
Henrik