[Qtwebengine] Any way to disable same-origin policy?

Kevin Truong knt261 at gmail.com
Wed Nov 18 00:01:30 CET 2015 

(CC'ing the mailing list, hope you don't mind)

Thanks Herman! Your response was clear and helpful. I think these options
are meant to fix the problem, but even after enabling the options, my issue
still persists for some reason. Here is an example code of what I have, and
the output I see. Note that m_page is of type QWebEnginePage:

    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
true);

    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
true);

    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
true);

    m_page.load(url);

.... (loadFinished() is signaled)
m_page.runJavaScript(m_script);

The script tries to access the contents of an iframe in the page, but runs
into this error:

javaScriptConsoleMessage: ErrorMessage on
https://www.redditstatic.com/reddit-init.en.2GOSboVBoYc.js:5: Client Error:
"SecurityError: Failed to read the 'contentDocument' property from
'HTMLIFrameElement': Blocked a frame with origin "https://www.reddit.com"
from accessing a cross-origin frame." thrown at L132:25 in  Message:
"Uncaught SecurityError: Failed to read the 'contentDocument' property from
'HTMLIFrameElement': Blocked a frame with origin "https://www.reddit.com"
from accessing a cross-origin frame."
javaScriptConsoleMessage: ErrorMessage on :132: Uncaught SecurityError:
Failed to read the 'contentDocument' property from 'HTMLIFrameElement':
Blocked a frame with origin "https://www.reddit.com" from accessing a frame
with origin "https://www.redditmedia.com". Protocols, domains, and ports
must match.



It seems like same-origin policy is still being enforced for some reason.
Maybe I am disabling it incorrectly... Does anyone have any idea what I can
do to fix this?

Best,
Kevin




On Tue, Nov 17, 2015 at 1:39 AM, Herman van Hazendonk <me at herrie.org> wrote:

> Hi Kevin,
>
> We've been working quite extensively on QtWebEngine while migrating our
> App Rendering back-end from QtWebKit to QtWebEngine in the past couple of
> months for our LuneOS (Open webOS)-project.
>
> We ran into "Oct 29 18:21:41 mako LunaWebAppManager1520: WARNING:
> 18:21:41.107: CONSOLE JS: XMLHttpRequest cannot load
> https://api.twitter.com/oauth/request_token. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'file://' is therefore not allowed access. The response had HTTP
> status code 400." for example.
>
> We solved this by enabling a setting for QtWebEngine:
>
> webView.settings.localContentCanAccessRemoteUrls = true;
>
> Our code example is at:
> https://github.com/webOS-ports/luna-webappmanager/commit/1dd780e0c554e3a6ecdd08fcf9df59173dd939ee
>
> You can find documentation for this at:
> http://doc.qt.io/qt-5/qml-qtwebengine-webenginesettings.html
>
> Hope this helps!
>
> Herman
>
>
>
> On 2015-11-17 03:47, Kevin Truong wrote:
>
>> Hi guys,
>>
>> I wrote a C++ class that utilizes QWebEnginePage. Towards the end of
>> the process, I execute QWebEnginePage.runJavaScript(), which is a
>> script that requires me to access the contents of iframes. Currently
>> the javascript stops prematurely, which I am assuming is due to
>> same-origin policy being enforced. Is there a way to disable this
>> setting in QtWebEngine?
>>
>> I am looking for an option similar to this, which is a way to do it
>> via command line for Chromium:
>>
>> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
>> [1]
>>
>> But couldn't find a way to do this for QtWebEngine in C++ code after
>> googling for a while. Any help would be appreciated, thanks!
>>
>> Best,
>> Kevin
>>
>> Links:
>> ------
>> [1]
>>
>> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
>>
>> _______________________________________________
>> QtWebEngine mailing list
>> QtWebEngine at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/qtwebengine
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/qtwebengine/attachments/20151117/784f00d0/attachment.html>

More information about the QtWebEngine mailing list