https://bugs.kde.org/show_bug.cgi?id=431218
--- Comment #4 from Laurent Montel <mon...@kde.org> --- (In reply to Timo Weingärtner from comment #3) > I sent you a test case in private mail. Yep thanks. I will look at it. > When reading your patch and the surrounding code it looks like only some > (images, now also fonts) request types are blacklisted. What about external > style sheets or other types that might grow in HTML-land? Are there any > external requests you think should be allowed? see "BlockExternalResourcesUrlInterceptor" too but indeed I need to block "style sheets" too. > > Regarding URL schemes: why is file:// allowed? I could think of some social > engineering attacks that might work by including files from the victims > computer. I would read "external request" as external to the e-mail in > question. Because we use file:// for resources too (as loading html template/ local image etc.) => normal. > > To me the function could be as simple as: > > ----8<----8<---- > bool > LoadExternalReferencesUrlInterceptor:: > interceptRequest(QWebEngineUrlRequestInfo &info) > { > if (mAllowLoadExternalReference) { > return false; > } > > const QString scheme = info.requestUrl().scheme(); > if (scheme == QLatin1String("data") > || scheme == QLatin1String("cid")) { > return false; > } > > return true; > } nope :) as we want to be able to load image from loacl etc :) > ----8<----8<---- -- You are receiving this mail because: You are watching all bug changes.