While allowing pages loaded from one security origin to send XMLHttpRequests to
URLs located in a different security origin is unsecure for various reasons and
therefore should be forbidden by default, there are legitimate use cases such
as those of Offline Applications and Widgets that require this feature.
WebKit internally supports a static whiteList that pairs source security
origins with ranges of allowed target security origins.
This whieList is privately exposed by the QtWebKit Api for the use of
DumpRenderTree via
void QWEBKIT_EXPORT qt_drt_whiteListAccessFromOrigin(const QString&
sourceOrigin, const QString& destinationProtocol, const QString&
destinationHost, bool allowDestinationSubdomains);
void QWEBKIT_EXPORT qt_drt_resetOriginAccessWhiteLists();
Since the need for this Api appears to be broad and long term I suggest making
it an official Api. In keeping with other QtWebKit Apis, here is my proposal:
In the current QWebSecurity origin add the following members:
static QWebSecurityOrigin* create(const QUrl&);
-- This is needed because all current constructors of QWebSecurity
origin are private and none of them takes a Url as an argument.
-- Since this pattern is not used in Qt, probably adding a public
constructor would be more appropriate. Please vote on this.
typedef enum
{
DontIncludeSubdomains,
IncludeSubdomains
} SubdomainHandling;
void addToWhiteList(const QUrl&, SubdomainHandling subdomainHandling =
DontIncludeSubdomains);
static void clearWhiteLists();
-- These functions implement the currently hidden API.
-- There is a fine point about addToWhiteList:
qt_drt_whiteListAccessFromOrigin ignores *. at the beginning of the hostname,
QUrl does not accept host names containing *. This difference in behavior must
be accounted for in DumpRenderTree when making the transition and may be an
issue for users, as code like this
page->securityOrigin()->addToWhiteList(QUrl(http://*.google.com";),
QWebSecurityOrigin::IncludeSubDomains);
has the most likely unexpected effect of whitelisting all http websites.
an alternative is to use a version of add to whitelist that is closer to the
ultimate implementation:
void addToWhiteList(const QString& scheme, const QString& host,
SubdomainHandling subdomainHandling = DontIncludeSubdomains);
Please comment on the above solution, especially about the items in question:
pick, agree, object and/or propose improvements.
Thank you,
Carol Szabo
_______________________________________________
webkit-qt mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-qt
