Details
-
Bug
-
Resolution: Invalid
-
P3: Somewhat important
-
None
-
5.15
-
None
-
Linux/Yocto,
Windows
Description
RequestInterceptor didn't called for javascript URLs
// request.h #ifndef MAINWINDOW_H #define MAINWINDOW_H #include <QWebEngineUrlRequestInterceptor> class WebUrlRequestInterceptor : public QWebEngineUrlRequestInterceptor { Q_OBJECT public: WebUrlRequestInterceptor(QObject *p = Q_NULLPTR); void interceptRequest(QWebEngineUrlRequestInfo &info); }; #endif // MAINWINDOW_H // request.cpp #include "request.h" WebUrlRequestInterceptor::WebUrlRequestInterceptor(QObject *p) :QWebEngineUrlRequestInterceptor(p) { } void WebUrlRequestInterceptor::interceptRequest(QWebEngineUrlRequestInfo &info) { const QString scheme = info.requestUrl().scheme(); if(scheme != "http" && scheme != "https") info.block(true); } // main.cpp #include <QApplication> #include <QWebEngineProfile> #include <QWebEngineView> #include "request.h" int main(int argc, char *argv[]) { QApplication a(argc, argv); WebUrlRequestInterceptor *wuri = new WebUrlRequestInterceptor; QWebEngineProfile::defaultProfile()->setRequestInterceptor(wuri); QWebEngineView w; w.setUrl(QUrl("javascript:alert('test')")); w.show(); return a.exec(); }
When wSetUrl is set to https://google.com, works fine, is allowed. When it's set to file://, works also fine, blocked. But when it's set to any javascript function, the inspector is not being called, so it can execute any arbitrary function.
I would assume, that it will be blocked as well.