Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50318

QWebEngine exposes webChannelTransport to scripts running on the page

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.7.0 Alpha
    • 5.5.1
    • WebChannel, WebEngine
    • None
    • All environments
    • bc315ce05298cf500f45f3a897b0f7c0408fd611

    Description

      scripts running on the page can see the window.qt.webChannelTransport object. This is a security risk since that object is used to implement control of the embedded browser from application code. From reading the source of qwebchannel.js there does not seem to be any security employed while transferring messages. I tried manually setting window.qt = undefined in my injected script and saving private reference to the qt object, but that causes the transport to stop working for some reason.

      Also, it would be good if Qt exposed the raw webchanneltransport object on the C++ side, that way we can implement our own communication schemes without having to rely on QWebChannel (which is a pretty awkward interface).

      Currently, one could run a private websocket server to get around both these problems, but that is sub-optimal for obvious reasons.

      Attachments

        1. Patch.diff
          3 kB
          Allan Sandfeld Jensen
        For Gerrit Dashboard: QTBUG-50318
        # Subject Branch Project Status CR V

        Activity

          People

            allan.jensen Allan Sandfeld Jensen
            kovid Kovid Goyal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes