When clicking the button in the Document Picture-in-Picture API Example, the resulting QWebEngineNewWindowRequest has a destination() that is set to an uninitialized value (and the same happens with QWebEnginePage::createWindow() as well).

This API is e.g. used by Google Workspaces new Huddles feature.

Reproducer:

#include <QApplication>
#include <QWebEngineView>
#include <QWebEnginePage>
#include <QUrl>
#include <QDebug>
#include <QWebEngineNewWindowRequest>

int main(int argc, char *argv[]) {
    QApplication app(argc, argv);
    QWebEngineView view;

    QObject::connect(view.page(), &QWebEnginePage::newWindowRequested, [](auto &request){ qDebug() << request.destination(); });
    view.load(QUrl("https://mdn.github.io/dom-examples/document-picture-in-picture/"));
    view.show();
    return app.exec();
}

In Chromium 116, the DocumentPictureInPicture API was added, together with a new WindowOpenDisposition::NEW_PICTURE_IN_PICTURE.

However, that is not part of the WindowOpenDisposition enum ("This must match window_open_disposition_list.h"). As an aside, WindowOpenDisposition::SWITCH_TO_TAB is missing too.

As a result of that, NEW_PICTURE_IN_PICTURE doesn't get handled in toWindowType and toDestinationType, and given that Q_UNREACHABLE() doesn't do anything at runtime in a release build, that results in UB (in my case, a random value for .destination()).

As a workaround, --disable-blink-features=DocumentPictureInPictureAPI can be passed to Chromium, to disable the JS API entirely.