On 8 November 2012 21:17, Alan Alpert <[email protected]> wrote: > On Thu, Nov 8, 2012 at 12:49 PM, BRM <[email protected]> wrote: >>> From: Alan Alpert <[email protected]> > If you have a http://remote/Image.qml with code like Image { source: > "graphic.png" } the png will be fetched transparently. > >> [1] Yes, I realize that it would enable some on-the-fly stuff that might >> generate some security concerns. I would suggest that be documented so that >> users know they have to load appropriately trusted materials if we did that. >> They could just as easily write it to a temp file and load the temp file >> using the regular API too. > > That is the current alternative. You can do the exact same thing by > writing out a temporary qmldir file to disk - it's just that I think > that approach is horrible and unnecessary. (This is actually more of a > security risk, because you could be overwriting the qmldir files for > other imports, like "." ).
Loading code on the fly from a remote location like this without enforcing HTTPS etc. is just plain crazy. I'd strongly suggest that it be disabled by default if that's actually possible now. Rich. _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
