Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50318

QWebEngine exposes webChannelTransport to scripts running on the page

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Done
    • Affects Version/s: 5.5.1
    • Fix Version/s: 5.7.0 Alpha
    • Component/s: WebChannel, WebEngine
    • Labels:
      None
    • Environment:
      All environments
    • Commits:
      bc315ce05298cf500f45f3a897b0f7c0408fd611

      Description

      scripts running on the page can see the window.qt.webChannelTransport object. This is a security risk since that object is used to implement control of the embedded browser from application code. From reading the source of qwebchannel.js there does not seem to be any security employed while transferring messages. I tried manually setting window.qt = undefined in my injected script and saving private reference to the qt object, but that causes the transport to stop working for some reason.

      Also, it would be good if Qt exposed the raw webchanneltransport object on the C++ side, that way we can implement our own communication schemes without having to rely on QWebChannel (which is a pretty awkward interface).

      Currently, one could run a private websocket server to get around both these problems, but that is sub-optimal for obvious reasons.

        Attachments

        1. Patch.diff
          3 kB
          Allan Sandfeld Jensen
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            allan.jensen Allan Sandfeld Jensen
            Reporter:
            kovid Kovid Goyal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes