[Qtwebengine] Any way to disable same-origin policy?

davidsz davidsz at inf.u-szeged.hu
Wed Nov 18 05:29:21 CET 2015 

Hi Kevin,

have you tried to pass "--disable-web-security" argument to your 
QApplication? It delegates the command line switches to the Chromium 
backend, so basically it should work.

Best regards,
Szabolcs


2015-11-18 00:06 időpontban Kevin Truong ezt írta:
> Forgot to mention, but in case it helps to clarify, the javascript
> console outputs the exact same error messages whether or not I enable
> or comment out these settings:
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
> true);
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
> true);
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled,
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls,
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls,
> true);
> 
> So it seems like changing the settings this way has no effect for me.
> 
> On Tue, Nov 17, 2015 at 3:01 PM, Kevin Truong <knt261 at gmail.com> wrote:
> 
> (CC'ing the mailing list, hope you don't mind)
> 
> Thanks Herman! Your response was clear and helpful. I think these 
> options are meant to fix the problem, but even after enabling the 
> options, my issue still persists for some reason. Here is an example 
> code of what I have, and the output I see. Note that m_page is of type 
> QWebEnginePage:
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled, 
> true);
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls, 
> true);
> 
> m_page.settings()->globalSettings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls, 
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalStorageEnabled, 
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessRemoteUrls, 
> true);
> 
> m_page.settings()->setAttribute(QWebEngineSettings::WebAttribute::LocalContentCanAccessFileUrls, 
> true);
> 
> m_page.load(url);
> 
> .... (loadFinished() is signaled) m_page.runJavaScript(m_script);
>        
> The script tries to access the contents of an iframe in the page, but 
> runs into this error:
> 
> javaScriptConsoleMessage: ErrorMessage on 
> https://www.redditstatic.com/reddit-init.en.2GOSboVBoYc.js:5 [1]: 
> Client Error: "SecurityError: Failed to read the 'contentDocument' 
> property from 'HTMLIFrameElement': Blocked a frame with origin 
> "https://www.reddit.com [2]" from accessing a cross-origin frame." 
> thrown at L132:25 in  Message: "Uncaught SecurityError: Failed to read 
> the 'contentDocument' property from 'HTMLIFrameElement': Blocked a 
> frame with origin "https://www.reddit.com [2]" from accessing a 
> cross-origin frame."
> javaScriptConsoleMessage: ErrorMessage on :132: Uncaught SecurityError: 
> Failed to read the 'contentDocument' property from 'HTMLIFrameElement': 
> Blocked a frame with origin "https://www.reddit.com [2]" from accessing 
> a frame with origin "https://www.redditmedia.com [3]". Protocols, 
> domains, and ports must match.
> 
> It seems like same-origin policy is still being enforced for some 
> reason. Maybe I am disabling it incorrectly... Does anyone have any 
> idea what I can do to fix this?
> 
> Best,
> Kevin
> 
> On Tue, Nov 17, 2015 at 1:39 AM, Herman van Hazendonk <me at herrie.org> 
> wrote:
> Hi Kevin,
> 
> We've been working quite extensively on QtWebEngine while migrating our 
> App Rendering back-end from QtWebKit to QtWebEngine in the past couple 
> of months for our LuneOS (Open webOS)-project.
> 
> We ran into "Oct 29 18:21:41 mako LunaWebAppManager1520: WARNING: 
> 18:21:41.107: CONSOLE JS: XMLHttpRequest cannot load 
> https://api.twitter.com/oauth/request_token [4]. No 
> 'Access-Control-Allow-Origin' header is present on the requested 
> resource. Origin 'file://' is therefore not allowed access. The 
> response had HTTP status code 400." for example.
> 
> We solved this by enabling a setting for QtWebEngine:
> 
> webView.settings.localContentCanAccessRemoteUrls = true;
> 
> Our code example is at: 
> https://github.com/webOS-ports/luna-webappmanager/commit/1dd780e0c554e3a6ecdd08fcf9df59173dd939ee 
> [5]
> 
> You can find documentation for this at: 
> http://doc.qt.io/qt-5/qml-qtwebengine-webenginesettings.html [6]
> 
> Hope this helps!
> 
> Herman
> 
> On 2015-11-17 03:47, Kevin Truong wrote:
> Hi guys,
> 
> I wrote a C++ class that utilizes QWebEnginePage. Towards the end of
> the process, I execute QWebEnginePage.runJavaScript(), which is a
> script that requires me to access the contents of iframes. Currently
> the javascript stops prematurely, which I am assuming is due to
> same-origin policy being enforced. Is there a way to disable this
> setting in QtWebEngine?
> 
> I am looking for an option similar to this, which is a way to do it
> via command line for Chromium:
> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome 
> [7]
> [1]
> 
> But couldn't find a way to do this for QtWebEngine in C++ code after
> googling for a while. Any help would be appreciated, thanks!
> 
> Best,
> Kevin
> 
> Links:
> ------
> [1]
> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome 
> [7]
> 
> _______________________________________________
> QtWebEngine mailing list
> QtWebEngine at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/qtwebengine [8]
> 
> 
> 
> Links:
> ------
> [1] https://www.redditstatic.com/reddit-init.en.2GOSboVBoYc.js:5
> [2] https://www.reddit.com
> [3] https://www.redditmedia.com
> [4] https://api.twitter.com/oauth/request_token
> [5]
> https://github.com/webOS-ports/luna-webappmanager/commit/1dd780e0c554e3a6ecdd08fcf9df59173dd939ee
> [6] http://doc.qt.io/qt-5/qml-qtwebengine-webenginesettings.html
> [7]
> http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
> [8] http://lists.qt-project.org/mailman/listinfo/qtwebengine
> 
> _______________________________________________
> QtWebEngine mailing list
> QtWebEngine at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/qtwebengine

More information about the QtWebEngine mailing list