Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-79225

QWebEnginePage::NavigationType returns incorrect type for drag-and-drop events

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P3: Somewhat important
    • Resolution: Unresolved
    • Affects Version/s: 5.13.1
    • Fix Version/s: None
    • Component/s: WebView
    • Labels:
      None
    • Platform/s:
      All

      Description

      I noticed recently that we were seeing some unexpected behavior with drag-and-drop files into an embedded qwebenginepage and discovered that the acceptNavigationRequest override that we use to trap links that are clicked and send them to an external browser (the use-case is we have an internal qwebengine that we want to render some content but any clicks to links on those pages are opened in the user's native browser) was for some reason firing on files that were dragged-and-dropped onto the widget. Specifically, the code was only dealing with events of type: 

      QWebEnginePage::NavigationTypeLinkClicked

       

      I made the following test-case to demonstrate the issue out of the sample simplebrowser.py https://gist.github.com/psifertex/65f6fcd5d06d8a31eb273c68fd24fdc2#file-simplebrowser-py-L51-L55

      Note that running the browser and then dragging a file onto the browser interface will trigger the log message when it seems like it should probably be a

      QWebEnginePage::NavigationTypeOther

      event instead.

       

      As an aside, in our use case the original behavior is actually a serious security issue as our application is a reverse engineering tool that is often used to analyze malware* that normally opens the file in its own analysis (but does not run it!). In the default case, passing off a binary application to the native url handler can execute the file which is very much not a good idea in that scenario. For now we've just disabled all drag-and-drop into our qwebengineview's which passes them to the parent which will properly open the file in the application. 

      *Yes, our users should be doing any malware analysis inside a sandboxed environment, preferably one of a different platform than the sample itself, but we'd rather not make it that easy to infect yourself. 

       

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            stromme Christian
            Reporter:
            psifertex Jordan Wiens
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Gerrit Reviews

                There are no open Gerrit changes