The debugger support in QWebEngine is insecure. It currently involves the browser listening on a port specified via an environment variable. Any process running on the local machine can talk to that port – there is no authentication. So any process running on the local machine can control the browser, when the debugger is enabled. And since the debugger can only be enabled at application startup, enabling devtools in your QWebEngine based application makes it automatically insecure.

Possible fixes:

1) Implement http auth for connections to the debugger – this will likely require patches to the chromium source code. It may be that chromium already supports it, but I could find no references to it. Additionally, there would need to be a more secure way of passing the auth credentials to the browser process than using environment variables.

2) Implement support for the inspector using the debugger extension API instead of using the remote debugging protocol

This is a regression from Qt WebKit, where enabling devtools does not have any security implications.