Details
-
Suggestion
-
Resolution: Duplicate
-
P2: Important
-
None
-
5.5.1
-
None
-
Arch Linux, x64
Likely afects all environmnets
Description
Scripts injected via QWebEngineScript do not have a secure origin. This means various features are disabled for them – WebCrypto, Service Workers, etc.
As far as I can tell, the scripts inherit the security origin of the page into which they are injected.
An example error message:
userscript:client.js:2698: Only secure origins are allowed. http://goo.gl/lq4gCo
This is generated when using window.crypto.subtle in a script injected via QWebEngineScript on an http page from the internet.
The list of secure origins for chromium is here:
https://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-
QWebEngineScript should inject the script using one of these origins, rather than as a userscript. Or at least have the option to use one of htese origins.
Attachments
Issue Links
- relates to
-
QTBUG-54902 I need to be able to use mixed content in web apps
- Closed