Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50725

QWebEngine debugging (developer tools) insecure

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P3: Somewhat important
    • 5.11.0
    • 5.5.1
    • WebEngine
    • None
    • All environments

    Description

      The debugger support in QWebEngine is insecure. It currently involves the browser listening on a port specified via an environment variable. Any process running on the local machine can talk to that port – there is no authentication. So any process running on the local machine can control the browser, when the debugger is enabled. And since the debugger can only be enabled at application startup, enabling devtools in your QWebEngine based application makes it automatically insecure.

      Possible fixes:

      1) Implement http auth for connections to the debugger – this will likely require patches to the chromium source code. It may be that chromium already supports it, but I could find no references to it. Additionally, there would need to be a more secure way of passing the auth credentials to the browser process than using environment variables.

      2) Implement support for the inspector using the debugger extension API instead of using the remote debugging protocol

      This is a regression from Qt WebKit, where enabling devtools does not have any security implications.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              allan.jensen Allan Sandfeld Jensen
              kovidgoyal Kovid Goyal
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes