Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P2: Important
Fix Version/s: 5.11.0 Beta 3
Affects Version/s: 5.10.0
Component/s: WebEngine
Labels:
None

Commits:
789f375411b542db3ac3be79cbe0a6153720abf1

Description

Using the ViewSource action on e.g. http://user:passwd@httpbin.org/basic-auth/user/passwd opens a view-source:http://user:passwd@httpbin.org/basic-auth/user/passwd URL.

Since the path of that new URL is set to the original URL, calling toDisplayString() on it will include the user and password.

In Chromium, using "view source" on the same page opens the URL view-source:http://httpbin.org/basic-auth/user/passwd with that not displayed. I'm not sure if it's needed internally to get the source though - it doesn't seem to be stripped out when the URL is created (probably only when displayed?).

When opening http://user:passwd@httpbin.org/basic-auth/user/passwd and then opening view-source:http://httpbin.org/basic-auth/user/passwd by hand it seems to work fine without asking for credentials, so QtWebEngine should probably just strip that out when constructing the URL.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Peter Varga

Reporter:: Florian Bruhin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25 Jan '18 15:55

Updated:: 27 Nov '18 14:06

Resolved:: 27 Nov '18 14:06

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

Remove credentials from view-source URLs: Gerrit Review: