Details
-
Bug
-
Resolution: Won't Do
-
P2: Important
-
None
-
5.7.0
-
None
-
All environments
Description
Injected scripts using QWebEngineProfile inherit the security context of the page that is loaded. This means that connecting to a websocket, like this
new WebSocket('ws://localhost:9001')
fails if the page has been loaded with https, with the error,
The page at 'https://whatever/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:9001/'. This request has been blocked; this endpoint must be available over WSS.
If you use wss as specified in the error message, it will still fail for sites that define a content-security-policy directive, with the error message
Refused to connect to 'wss://localhost:9001/' because it violates the following Content Security Policy directive: "connect-src 'self'
As I said on a previous ticket, a year ago, the only robust solution for these issues is to load the injected script in a different security context, presumably the same technique as is used for chrome extensions.
And at the moment, since both QWebChannel (QTBUG-55039) and WebSocket are broken, there is no robust way to communicate between the application and the injected javascript, at all. At this rate I am going to have to be reduced to using runJavaScript + polling.
Attachments
Issue Links
- is duplicated by
-
QTBUG-54902 I need to be able to use mixed content in web apps
- Closed