WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
45436
[Qt] Expose the web security setting.
https://bugs.webkit.org/show_bug.cgi?id=45436
Summary
[Qt] Expose the web security setting.
Eugene Ostroukhov
Reported
2010-09-08 20:46:10 PDT
We are developing an IDE for mobile web widgets. Those widgets will be ran on the handhelds as standalone applications. Our IDE has a built-in web server that serves both the widget itself and "simulator" and has some logic (so from the browser opens "http://" url instead of "file://"). In this case call to remote site (i.e. to fetch RSS feed) becomes a cross-domain request and is blocked by webkit security. WebKit has a setting to disable this check (
http://trac.webkit.org/changeset/40449
). Qt does not expose it.
Attachments
Patch against webkit Git head.
(3.01 KB, patch)
2010-09-13 10:08 PDT
,
Eugene Ostroukhov
no flags
Details
Formatted Diff
Diff
Alternative patch
(3.08 KB, patch)
2010-09-14 23:46 PDT
,
Eugene Ostroukhov
no flags
Details
Formatted Diff
Diff
Alternative setting name. Tab from ChangeLog was removed
(3.07 KB, patch)
2010-09-15 08:40 PDT
,
Eugene Ostroukhov
menard
: commit-queue-
Details
Formatted Diff
Diff
Fixed comment#10
(3.11 KB, patch)
2010-10-09 21:17 PDT
,
Eugene Ostroukhov
hausmann
: review-
hausmann
: commit-queue-
Details
Formatted Diff
Diff
Patch that fixes flag position and documentation
(3.01 KB, patch)
2010-11-24 15:51 PST
,
Eugene Ostroukhov
no flags
Details
Formatted Diff
Diff
Same patch as comment #18 with the flag renamed to "WebSecurityEnabled"
(3.02 KB, patch)
2010-11-24 16:33 PST
,
Eugene Ostroukhov
no flags
Details
Formatted Diff
Diff
Patch
(3.47 KB, patch)
2013-06-17 02:37 PDT
,
Allan Sandfeld Jensen
no flags
Details
Formatted Diff
Diff
Show Obsolete
(6)
View All
Add attachment
proposed patch, testcase, etc.
Eugene Ostroukhov
Comment 1
2010-09-08 20:46:39 PDT
This is the patch against Qt Git repository: diff --git a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp index d907d86..08bdf19 100644 --- a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp +++ b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp @@ -151,6 +151,10 @@ void QWebSettingsPrivate::apply() value = attributes.value(QWebSettings::JavascriptEnabled, global->attributes.value(QWebSettings::JavascriptEnabled)); settings->setJavaScriptEnabled(value); + + value = attributes.value(QWebSettings::WebSecurityEnabled, + global->attributes.value(QWebSettings::WebSecurityEnabled)); + settings->setWebSecurityEnabled(value); #if USE(ACCELERATED_COMPOSITING) value = attributes.value(QWebSettings::AcceleratedCompositingEnabled, global->attributes.value(QWebSettings::AcceleratedCompositingEnabled)); @@ -469,6 +473,7 @@ QWebSettings::QWebSettings() d->attributes.insert(QWebSettings::TiledBackingStoreEnabled, false); d->attributes.insert(QWebSettings::FrameFlatteningEnabled, false); d->attributes.insert(QWebSettings::SiteSpecificQuirksEnabled, true); + d->attributes.insert(QWebSettings::WebSecurityEnabled, true); d->offlineStorageDefaultQuota = 5 * 1024 * 1024; d->defaultTextEncoding = QLatin1String("iso-8859-1"); } diff --git a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h index 156f633..03a8ab8 100644 --- a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h +++ b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h @@ -74,7 +74,8 @@ public: LocalContentCanAccessFileUrls, TiledBackingStoreEnabled, FrameFlatteningEnabled, - SiteSpecificQuirksEnabled + SiteSpecificQuirksEnabled, + WebSecurityEnabled }; enum WebGraphic { MissingImageGraphic,
Benjamin Poulain
Comment 2
2010-09-09 11:00:55 PDT
Here are the informations to submit a patch:
http://trac.webkit.org/wiki/QtWebKitContrib
The WebKit teams don't take any patch from the comments. If you need help to submit your first patch, please come on IRC on the channel #qtwebkit. Please also check if it is possible to do a unit test for this feature in the API.
Benjamin Poulain
Comment 3
2010-09-09 13:03:38 PDT
Oh, and you need to update the documentation as well when you add a value in the public API.
Eugene Ostroukhov
Comment 4
2010-09-13 10:08:16 PDT
Created
attachment 67421
[details]
Patch against webkit Git head.
Antonio Gomes
Comment 5
2010-09-14 12:38:41 PDT
(In reply to
comment #4
)
> Created an attachment (id=67421) [details] > Patch against webkit Git head.
\value WebSecurityEnabled Specifies whether browser should enforce same-origin policy. Note that + setting this flag is strongly discouraged as it makes the browser more prone to malicious code. I think WebSecurity is too general. Specially because in the documentation you explicitly cited about cross-domain access. Could not the setting be named along this?
Eugene Ostroukhov
Comment 6
2010-09-14 13:23:10 PDT
This patch is merely adding an inderection for the similary named property from the core WebKit codebase (this setting was introduced by a Chromium team and it corresponds to "--disable-web-security" command line switch). I do not know if this setting affects anything other then cross-domain calls. I used this name for consistency with the WebKit. I can rename the setting if needed.
Eugene Ostroukhov
Comment 7
2010-09-14 23:46:51 PDT
Created
attachment 67647
[details]
Alternative patch As an option - this patch will call it "EnforceSameOrigin". But I am not sure if it is a good practice to use different terminology from the upstream project...
WebKit Review Bot
Comment 8
2010-09-14 23:50:18 PDT
Attachment 67647
[details]
did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style']" exit_code: 1 WARNING: File exempt from style guide. Skipping: "WebKit/qt/Api/qwebsettings.h" WARNING: File exempt from style guide. Skipping: "WebKit/qt/Api/qwebsettings.cpp" WebKit/qt/ChangeLog:6: Line contains tab character. [whitespace/tab] [5] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Eugene Ostroukhov
Comment 9
2010-09-15 08:40:46 PDT
Created
attachment 67680
[details]
Alternative setting name. Tab from ChangeLog was removed I apologize - I ran WebKitTools/Scripts/check-webkit-style prior to updating the ChangeLog.
Alexis Menard (darktears)
Comment 10
2010-10-08 02:16:49 PDT
Comment on
attachment 67680
[details]
Alternative setting name. Tab from ChangeLog was removed View in context:
https://bugs.webkit.org/attachment.cgi?id=67680&action=review
> WebKit/qt/Api/qwebsettings.cpp:429 > + from remote servers. Note that setting this flag is strongly discouraged as it makes the browser more
"Note that setting that flag *to false* ..." helps for a better understanding of the documentation I think. Could you add that it's true by default?
Eugene Ostroukhov
Comment 11
2010-10-09 21:17:32 PDT
Created
attachment 70386
[details]
Fixed
comment#10
Benjamin Poulain
Comment 12
2010-11-12 06:54:00 PST
***
Bug 33078
has been marked as a duplicate of this bug. ***
Benjamin Poulain
Comment 13
2010-11-12 06:54:17 PST
***
Bug 44482
has been marked as a duplicate of this bug. ***
Alex Karpenko
Comment 14
2010-11-22 15:35:43 PST
(In reply to
comment #5
)
> I think WebSecurity is too general. Specially because in the documentation you explicitly cited about cross-domain access. Could not the setting be named along this?
No, please leave it as WebSecurityEnabled. This is consistent with the naming of other flags in QWebSettings, which themselves mirror the naming upstream. I've submitted a patch independently from this one, which also used WebSecurityEnabled as the proper naming for this flag:
Bug 44482
. I'd like to know what's holding this patch from being merged? LocalContentCanAccessRemoteUrls and LocalContentCanAccessFileUrls are exposed, but this isn't. There are valid use cases for this setting, as evidenced by its existence upstream, and three independent bug reports requesting addition to the API.
Adam Barth
Comment 15
2010-11-22 17:50:57 PST
Speaking as the developer who added this setting, I think it make sense to expose. I would review the patch, but I don't feel qualified to make API choices for Qt.
Andreas Kling
Comment 16
2010-11-22 17:56:19 PST
(In reply to
comment #15
)
> Speaking as the developer who added this setting, I think it make sense to expose. I would review the patch, but I don't feel qualified to make API choices for Qt.
Endorsement noted! :) All Qt API changes must go through API review, which we'll be doing in Oslo this week.
Simon Hausmann
Comment 17
2010-11-23 07:06:44 PST
Comment on
attachment 70386
[details]
Fixed
comment#10
View in context:
https://bugs.webkit.org/attachment.cgi?id=70386&action=review
It looks straigh-forward to me, apart from the binary compatiblity (r- for that). But I think it would be good if the API documentation would not only say that this setting is problematic, it should also explain _when_ this setting _is_ useful after all.
> WebKit/qt/Api/qwebsettings.h:72 > + EnforceSameOrigin,
New enum values must be added at the end, otherwise the addition breaks binary compatibility.
Eugene Ostroukhov
Comment 18
2010-11-24 15:51:22 PST
Created
attachment 74803
[details]
Patch that fixes flag position and documentation In this patch the setting name is "EnforceSameOrigin" but
comment #17
is fixed.
Eugene Ostroukhov
Comment 19
2010-11-24 16:33:12 PST
Created
attachment 74808
[details]
Same patch as
comment #18
with the flag renamed to "WebSecurityEnabled" This is the same patch I uploaded as
comment #18
but the flag name is "WebSecurityEnabled" for consistency with core WebKit.
Alexis Menard (darktears)
Comment 20
2011-03-01 11:39:50 PST
Comment on
attachment 74808
[details]
Same patch as
comment #18
with the flag renamed to "WebSecurityEnabled" LGTM :)
Adam Barth
Comment 21
2011-04-26 15:23:14 PDT
Comment on
attachment 74803
[details]
Patch that fixes flag position and documentation This patch has been up for review for a long time but does not appear to have Qt API review. Folks with the power to approve Qt APIs should feel free to override this R-, but having this patch sit up for review for a long time isn't helping anyone.
Adam Barth
Comment 22
2011-04-26 15:23:33 PDT
Comment on
attachment 74808
[details]
Same patch as
comment #18
with the flag renamed to "WebSecurityEnabled" See above.
Azat Khuzhin
Comment 23
2012-12-04 09:39:47 PST
When this could merge to main line? Maybe need to update patch, but seems that it merged without errors. Thanks.
Allan Sandfeld Jensen
Comment 24
2013-06-17 02:37:26 PDT
Created
attachment 204802
[details]
Patch Rebased on trunk
WebKit Commit Bot
Comment 25
2013-06-17 02:40:08 PDT
Attachment 204802
[details]
did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebKit/qt/Api/qwebsettings.cpp', u'Source/WebKit/qt/Api/qwebsettings.h', u'Source/WebKit/qt/ChangeLog']" exit_code: 1 Source/WebKit/qt/Api/qwebsettings.cpp:276: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Anders Carlsson
Comment 26
2013-10-02 21:34:48 PDT
Comment on
attachment 204802
[details]
Patch Qt has been removed, clearing review flags.
Jocelyn Turcotte
Comment 27
2014-02-03 03:16:43 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at
https://bugreports.qt-project.org
and add a link to this issue. See
http://qt-project.org/wiki/ReportingBugsInQt
for additional guidelines.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug