[Qtwebengine] Any way to disable same-origin policy?

Kevin Truong knt261 at gmail.com
Wed Nov 18 00:06:10 CET 2015 

Forgot to mention, but in case it helps to clarify, the javascript console
outputs the exact same error messages whether or not I enable or comment
out these settings:


    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
true);

    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
true);

    m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
true);

    m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
true);


So it seems like changing the settings this way has no effect for me.



On Tue, Nov 17, 2015 at 3:01 PM, Kevin Truong <knt261 at gmail.com> wrote:

> (CC'ing the mailing list, hope you don't mind)
>
> Thanks Herman! Your response was clear and helpful. I think these options
> are meant to fix the problem, but even after enabling the options, my issue
> still persists for some reason. Here is an example code of what I have, and
> the output I see. Note that m_page is of type QWebEnginePage:
>
>     m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled, true);
>
>     m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls, true);
>
>     m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls, true);
>
>     m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled, true);
>
>     m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls, true);
>
>     m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls, true);
>
>     m_page.load(url);
>
> .... (loadFinished() is signaled)
> m_page.runJavaScript(m_script);
>
> The script tries to access the contents of an iframe in the page, but runs
> into this error:
>
> javaScriptConsoleMessage: ErrorMessage on
> https://www.redditstatic.com/reddit-init.en.2GOSboVBoYc.js:5: Client
> Error: "SecurityError: Failed to read the 'contentDocument' property from
> 'HTMLIFrameElement': Blocked a frame with origin "https://www.reddit.com"
> from accessing a cross-origin frame." thrown at L132:25 in  Message:
> "Uncaught SecurityError: Failed to read the 'contentDocument' property from
> 'HTMLIFrameElement': Blocked a frame with origin "https://www.reddit.com"
> from accessing a cross-origin frame."
> javaScriptConsoleMessage: ErrorMessage on :132: Uncaught SecurityError:
> Failed to read the 'contentDocument' property from 'HTMLIFrameElement':
> Blocked a frame with origin "https://www.reddit.com" from accessing a
> frame with origin "https://www.redditmedia.com". Protocols, domains, and
> ports must match.
>
>
>
> It seems like same-origin policy is still being enforced for some reason.
> Maybe I am disabling it incorrectly... Does anyone have any idea what I can
> do to fix this?
>
> Best,
> Kevin
>
>
>
>
> On Tue, Nov 17, 2015 at 1:39 AM, Herman van Hazendonk <me at herrie.org>
> wrote:
>
>> Hi Kevin,
>>
>> We've been working quite extensively on QtWebEngine while migrating our
>> App Rendering back-end from QtWebKit to QtWebEngine in the past couple of
>> months for our LuneOS (Open webOS)-project.
>>
>> We ran into "Oct 29 18:21:41 mako LunaWebAppManager1520: WARNING:
>> 18:21:41.107: CONSOLE JS: XMLHttpRequest cannot load
>> https://api.twitter.com/oauth/request_token. No
>> 'Access-Control-Allow-Origin' header is present on the requested resource.
>> Origin 'file://' is therefore not allowed access. The response had HTTP
>> status code 400." for example.
>>
>> We solved this by enabling a setting for QtWebEngine:
>>
>> webView.settings.localContentCanAccessRemoteUrls = true;
>>
>> Our code example is at:
>> https://github.com/webOS-ports/luna-webappmanager/commit/1dd780e0c554e3a6ecdd08fcf9df59173dd939ee
>>
>> You can find documentation for this at:
>> http://doc.qt.io/qt-5/qml-qtwebengine-webenginesettings.html
>>
>> Hope this helps!
>>
>> Herman
>>
>>
>>
>> On 2015-11-17 03:47, Kevin Truong wrote:
>>
>>> Hi guys,
>>>
>>> I wrote a C++ class that utilizes QWebEnginePage. Towards the end of
>>> the process, I execute QWebEnginePage.runJavaScript(), which is a
>>> script that requires me to access the contents of iframes. Currently
>>> the javascript stops prematurely, which I am assuming is due to
>>> same-origin policy being enforced. Is there a way to disable this
>>> setting in QtWebEngine?
>>>
>>> I am looking for an option similar to this, which is a way to do it
>>> via command line for Chromium:
>>>
>>> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
>>> [1]
>>>
>>> But couldn't find a way to do this for QtWebEngine in C++ code after
>>> googling for a while. Any help would be appreciated, thanks!
>>>
>>> Best,
>>> Kevin
>>>
>>> Links:
>>> ------
>>> [1]
>>>
>>> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
>>>
>>> _______________________________________________
>>> QtWebEngine mailing list
>>> QtWebEngine at qt-project.org
>>> http://lists.qt-project.org/mailman/listinfo/qtwebengine
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/qtwebengine/attachments/20151117/b144c0d9/attachment.html>

More information about the QtWebEngine mailing list