On Thu, Nov 8, 2012 at 2:15 PM, Richard Moore <[email protected]> wrote: > On 8 November 2012 21:17, Alan Alpert <[email protected]> wrote: >> On Thu, Nov 8, 2012 at 12:49 PM, BRM <[email protected]> wrote: >>>> From: Alan Alpert <[email protected]> >> If you have a http://remote/Image.qml with code like Image { source: >> "graphic.png" } the png will be fetched transparently. >> >>> [1] Yes, I realize that it would enable some on-the-fly stuff that might >>> generate some security concerns. I would suggest that be documented so that >>> users know they have to load appropriately trusted materials if we did >>> that. They could just as easily write it to a temp file and load the temp >>> file using the regular API too. >> >> That is the current alternative. You can do the exact same thing by >> writing out a temporary qmldir file to disk - it's just that I think >> that approach is horrible and unnecessary. (This is actually more of a >> security risk, because you could be overwriting the qmldir files for >> other imports, like "." ). > > Loading code on the fly from a remote location like this without > enforcing HTTPS etc. is just plain crazy. I'd strongly suggest that it > be disabled by default if that's actually possible now.
The QML security policy is to be as careful with executing remote QML as you would be with remote binaries. I agree it's usually crazy to do that without enforcing some measure of transit security, but like C++ we leave that to the user. This prevents it from ruling out the cases where it's not crazy, like when it goes through trusted networks (like internal apps) or is properly sandboxed (like web apps). -- Alan Alpert _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
