Details
Description
Security policies (like LocalContentCanAccessFileUrls and LocalContentCanAccessRemoteUrls) work when the content is loaded from local file (file:///path/to/file.html), or using setHtml(html). But when I use setHtml(html, relativeUrl) where relativeUrl is the same (file:///path/to/file.html), these policies do not work (i.e. the XMLHttpRequest to a remote server succeeds).
For example, the HTML pages loaded using the last approach can access remote URLs even when QWebSettings::LocalContentCanAccessRemoteUrls is set to false.
The problem is described in detail in more detail in my mail to interest mailing list: <http://lists.qt-project.org/pipermail/interest/2015-April/016376.html>. After doing some more experiments, I am convinced that this behavior is a bug in Qt WebKit, and is a security issue.