Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50142

QWebEngineScript does not have a secure origin

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Duplicate
    • P2: Important
    • None
    • 5.5.1
    • WebEngine
    • None

    • Arch Linux, x64
      Likely afects all environmnets

    Description

      Scripts injected via QWebEngineScript do not have a secure origin. This means various features are disabled for them – WebCrypto, Service Workers, etc.

      As far as I can tell, the scripts inherit the security origin of the page into which they are injected.

      An example error message:

      userscript:client.js:2698: Only secure origins are allowed. http://goo.gl/lq4gCo

      This is generated when using window.crypto.subtle in a script injected via QWebEngineScript on an http page from the internet.

      The list of secure origins for chromium is here:
      https://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-

      QWebEngineScript should inject the script using one of these origins, rather than as a userscript. Or at least have the option to use one of htese origins.

      Attachments

        Issue Links

          relates to

          Suggestion - Public suggestions QTBUG-54902 I need to be able to use mixed content in web apps

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qt_webengine_team Qt WebEngine Team
              kovid Kovid Goyal
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes