Details
-
Type:
Bug
-
Status: Closed
-
Priority:
P1: Critical
-
Resolution: Done
-
Affects Version/s: 6.2.4, 6.3.0
-
Fix Version/s: 6.2.5, 6.3.1, 6.4.0 Beta1
-
Component/s: WebEngine
-
Labels:None
-
Commits:2ba1f04b45 (qt/qtwebengine/dev) cdd438c3aa (qt/qtwebengine/6.2) 8d0bd4b1a1 (qt/qtwebengine/6.3) 8d0bd4b1a1 (qt/qtwebengine/6.3.1) 8d0bd4b1a1 (qt/tqtc-qtwebengine/6.3.1) 2ba1f04b45 (qt/qtwebengine/6.4) 2ba1f04b45 (qt/tqtc-qtwebengine/6.4)
Description
With e.g. this HTML page:
<!doctype html>
<html>
<body>
<a href="https://qt.io">Qt</a>
</body>
</html>
saved to a test.html, clicking the link with QtWebEngine 6.2 causes the load to be blocked with ERR_NETWORK_ACCESS_DENIED. This can e.g. be reproduced in simplebrowser.
Setting QWebEngineSettings::LocalContentCanAccessRemoteUrls to true (false by default) fixes things, but that seems unexpected: An user clicking links isn't the local content accessing a remote URL, it's just the user following a link (and probably something common, certainly working fine in e.g. Chromium). It also means that the page can now load any remote content, which seems problematic security-wise.
Possibly related: Improve local scheme access rules (Ieb24da12) ยท Gerrit Code Review
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-