On 30 January 2014 12:26, Konrad Rosenbaum <[email protected]> wrote: > On Wednesday, Wednesday 29 January 2014 at 21:25, Richard Moore wrote: > >> Sorry but most of this is irrelevant to Qt. Qt applications and QML > >> applications are not like Javascript in a browser - they're already > >> trusted and not sandboxed at all. > > > > I know a few Qt applications that match exactly the scenario that masking is > supposed to help against, to name just two obvious ones: Konqueror, Snowshoe
Those use webkit which has a separate implementation of websockets. They do not use this module. > > A few of my own apps, while not browsers, allow user generated scripts (not > necessarily JavaScript) and allow the scripts some access to HTTP. Some of > those scripts are not fully trusted either - they have severe limits in what > they can do. User-generated scripts aren't the problem - those are presumably trusted (or if they're not then you must have your own sandbox implementation). >> For Qt, we just need to ensure that >> the masking works (ie prevents a non-malicious app accidentally >> triggering a buggy proxy). > > I am not overly concerned with QML and scripts programmed by the same people > who did the C++ work. You can't defend against them anyway (except by not > using the app). > > I am concerned with user generated content that has access to HTTP and > Websockets in some scripted way. Again, only 3rd party untrusted content matters here and for that you need a sandbox. > > But I would agree that the percentage of Qt applications for whicht this is > critical is very low and I would not waste too much effort on this for the > initial release. It might even be argued that the effort should be shifted > to apps that actually need secure random by implementing a weak virtual > function and allowing the user to override it. > Peppe has previously started looking at adding a secure random source (in addition I provide one in the certificate addon). There are enough use cases that I think we'll include one in Qt at some point. Cheers Rich. _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
