Details
Description
QWebEngineUrlRequestInfo.firstPartyUrl() returns an invalid QUrl for requests from iframes with a different origin than the embedding page. On 5.11 info.firstPartyUrl().toDisplayString() results in "data:," and on 5.13 it is just "". This makes it hard to do, for example, per-domain request blocking.
You can see this in the wild in the stripe checkout widget https://stripe-payments-demo.appspot.com/ and google recaptcha https://recaptcha-demo.appspot.com/recaptcha-v2-checkbox.php
Here is my reproducer, it depends on localhost and 127.0.0.1 being different origins. Have two files; index.html
<html>
<head>
</head>
<body>
<iframe src="http://localhost:1234/iframefetcher.html"></iframe>
</body>
</html>
and iframefetcher.html
<html> <head> </head> <body> <script type="text/javascript" src="/doesntmatter.js"></script> </body> </html>
Serve that up on localhost python -m SimpleHTTPServer 1234
Then compile this program that just logs requests from an interceptor and run it with the argument http://127.0.0.1:1234/index.html (not localhost:1234):
#include <iostream> #include <QApplication> #include <QWebEngineView> #include <QWebEngineUrlRequestInterceptor> #include <QWebEngineUrlRequestInfo> #include <QWebEngineProfile> #include <QUrl> /* * Serve these two files. Acces the index file on http://127.0.0.1:1234/ so * that it has a different origin that the iframe's http://localhost:1234/ * Requests made from the iframe won't have a valid first party URL in the * interceptor. * * index file: <html> <head> </head> <body> <iframe src="http://localhost:1234/iframefetcher.html"></iframe> </body> </html> * iframe file "iframefetcher.html" <html> <head> </head> <body> <script type="text/javascript" src="/doesntmatter.js"></script> </body> </html> */ class MyInterceptor : public QWebEngineUrlRequestInterceptor { public: MyInterceptor(QObject *parent) : QWebEngineUrlRequestInterceptor(parent) { } void interceptRequest(QWebEngineUrlRequestInfo &info) { std::cout << "Saw request of type " << info.resourceType() << " from " << info.firstPartyUrl().toDisplayString().toStdString() << " (valid " << info.firstPartyUrl().isValid() << ") " << " to " << info.requestUrl().toDisplayString().toStdString() << std::endl; } }; int main(int argc, char *argv[]) { QApplication app(argc, argv); QWebEngineView view; QWebEngineProfile *profile = view.page()->profile(); MyInterceptor interceptor(profile); profile->setRequestInterceptor(&interceptor); view.load(QUrl(argv[1])); view.show(); return app.exec(); }
and you will see the request to http://localhost:1234/doesntmatter.js doesn't have a useful first party URL in the interceptor.