Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-75759

Interceptor request info has invalid firstPartyUrl for requests from cross origin iframes

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P2: Important
    • 5.14
    • 5.13.0 Beta3
    • WebEngine
    • None
    • Linux Debian sid 5.11
      Linux Arch 5.13.0beta3-2 from kde-unstable
    • a1d3562d5115f5b06f9cb515df570e36c89ba187

    Description

      QWebEngineUrlRequestInfo.firstPartyUrl() returns an invalid QUrl for requests from iframes with a different origin than the embedding page. On 5.11 info.firstPartyUrl().toDisplayString() results in "data:," and on 5.13 it is just "". This makes it hard to do, for example, per-domain request blocking.

      You can see this in the wild in the stripe checkout widget https://stripe-payments-demo.appspot.com/ and google recaptcha https://recaptcha-demo.appspot.com/recaptcha-v2-checkbox.php

      Here is my reproducer, it depends on localhost and 127.0.0.1 being different origins. Have two files; index.html

      <html>
  <head>
  </head>
  <body>
    <iframe src="http://localhost:1234/iframefetcher.html"></iframe>
  </body>
</html>

      and iframefetcher.html

      <html>
  <head>
  </head>
  <body>
  <script type="text/javascript" src="/doesntmatter.js"></script>
  </body>
</html>

      Serve that up on localhost python -m SimpleHTTPServer 1234
      Then compile this program that just logs requests from an interceptor and run it with the argument http://127.0.0.1:1234/index.html (not localhost:1234):

      #include <iostream>
#include <QApplication>
#include <QWebEngineView>
#include <QWebEngineUrlRequestInterceptor>
#include <QWebEngineUrlRequestInfo>
#include <QWebEngineProfile>
#include <QUrl>

/*
 * Serve these two files. Acces the index file on http://127.0.0.1:1234/ so
 * that it has a different origin that the iframe's http://localhost:1234/
 * Requests made from the iframe won't have a valid first party URL in the
 * interceptor.
 *
 * index file:
<html>
  <head>
  </head>
  <body>
    <iframe src="http://localhost:1234/iframefetcher.html"></iframe>
  </body>
</html>
 * iframe file "iframefetcher.html"
<html>
  <head>
  </head>
  <body>
  <script type="text/javascript" src="/doesntmatter.js"></script>
  </body>
</html>
 */

class MyInterceptor : public QWebEngineUrlRequestInterceptor
{
  public:
  MyInterceptor(QObject *parent) : QWebEngineUrlRequestInterceptor(parent)
  {
  }

  void interceptRequest(QWebEngineUrlRequestInfo &info)
  {
    std::cout <<
      "Saw request of type " << info.resourceType() <<
      " from " << info.firstPartyUrl().toDisplayString().toStdString() <<
      " (valid " << info.firstPartyUrl().isValid() << ") " <<
      " to " << info.requestUrl().toDisplayString().toStdString() <<
      std::endl;
  }
};

int main(int argc, char *argv[])
{
    QApplication app(argc, argv);
    QWebEngineView view;
    QWebEngineProfile *profile = view.page()->profile();
    MyInterceptor interceptor(profile);
    profile->setRequestInterceptor(&interceptor);

    view.load(QUrl(argv[1]));
    view.show();
    return app.exec();
}

      and you will see the request to http://localhost:1234/doesntmatter.js doesn't have a useful first party URL in the interceptor.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            ztamas Tamas Zakor
            toofar toofar
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes