Details
Description
Security policies (like LocalContentCanAccessFileUrls and LocalContentCanAccessRemoteUrls) work when the content is loaded from local file (file:///path/to/file.html), or using setHtml(html). But when I use setHtml(html, relativeUrl) where relativeUrl is the same (file:///path/to/file.html), these policies do not work (i.e. the XMLHttpRequest to a remote server succeeds).
For example, the HTML pages loaded using the last approach can access remote URLs even when QWebSettings::LocalContentCanAccessRemoteUrls is set to false.
The problem is described in detail in more detail in my mail to interest mailing list: <http://lists.qt-project.org/pipermail/interest/2015-April/016376.html>. After doing some more experiments, I am convinced that this behavior is a bug in Qt WebKit, and is a security issue.
Attachments
For Gerrit Dashboard: QTBUG-45556 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
110718,7 | Enforce no remote access from local URLs for XHR | 5.4 | qt/qtwebkit | Status: MERGED | +2 | 0 |
112494,1 | Enforce no remote acces on local URLs for XHR | 5.5 | qt/qtwebkit | Status: ABANDONED | 0 | 0 |
147669,3 | Doc: QWebEngineSettings::WebAttribute values provide no safety mechanisms | 5.6.0 | qt/qtwebengine | Status: MERGED | +2 | 0 |