Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.2.4, 6.3.0
-
None
-
2ba1f04b45 (qt/qtwebengine/dev) cdd438c3aa (qt/qtwebengine/6.2) 8d0bd4b1a1 (qt/qtwebengine/6.3) 8d0bd4b1a1 (qt/qtwebengine/6.3.1) 8d0bd4b1a1 (qt/tqtc-qtwebengine/6.3.1) 2ba1f04b45 (qt/qtwebengine/6.4) 2ba1f04b45 (qt/tqtc-qtwebengine/6.4)
Description
With e.g. this HTML page:
<!doctype html>
<html>
<body>
<a href="https://qt.io">Qt</a>
</body>
</html>
saved to a test.html, clicking the link with QtWebEngine 6.2 causes the load to be blocked with ERR_NETWORK_ACCESS_DENIED. This can e.g. be reproduced in simplebrowser.
Setting QWebEngineSettings::LocalContentCanAccessRemoteUrls to true (false by default) fixes things, but that seems unexpected: An user clicking links isn't the local content accessing a remote URL, it's just the user following a link (and probably something common, certainly working fine in e.g. Chromium). It also means that the page can now load any remote content, which seems problematic security-wise.
Possibly related: Improve local scheme access rules (Ieb24da12) ยท Gerrit Code Review
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-