Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-45556

Security policies work with content from local file, but not with setHtml(html, url)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P3: Somewhat important
    • 5.5.0, 6.3.0
    • 5.4.1
    • WebEngine, WebKit
    • None
    • Debian GNU/Linux with Qt 5.4.1 from experimental repository
    • 9cbcd93cfe0ba6f7531574f7784e8978bd723110

    Description

      Security policies (like LocalContentCanAccessFileUrls and LocalContentCanAccessRemoteUrls) work when the content is loaded from local file (file:///path/to/file.html), or using setHtml(html). But when I use setHtml(html, relativeUrl) where relativeUrl is the same (file:///path/to/file.html), these policies do not work (i.e. the XMLHttpRequest to a remote server succeeds).

      For example, the HTML pages loaded using the last approach can access remote URLs even when QWebSettings::LocalContentCanAccessRemoteUrls is set to false.

      The problem is described in detail in more detail in my mail to interest mailing list: <http://lists.qt-project.org/pipermail/interest/2015-April/016376.html>. After doing some more experiments, I am convinced that this behavior is a bug in Qt WebKit, and is a security issue.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            allan.jensen Allan Sandfeld Jensen
            mandriver Dmitry Shachnev
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes