RESOLVED INVALID109934
[Qt] qrc application scheme handler cannot be disabled 
https://bugs.webkit.org/show_bug.cgi?id=109934
Summary [Qt] qrc application scheme handler cannot be disabled
Milian Wolff
Reported 2013-02-15 06:33:41 PST
Recently QtWebKit started registering the qrc application scheme handler. While this might be neat for many simple apps, it becomes potentially undesired in bigger applications. Especially when you want to encapsulate HTML applications into a Qt app or write a HTML browser, you do not want random websites to access the app-local resources. Personally I think a way to unregister application scheme handlers could solve this issue but might not be possible due to the static i.e. read-only nature of the urlSchemeDelegates property in QML. Should we instead introduce a new setting such as experimental.enableQRCSchemeDelegate ? See also https://bugs.webkit.org/show_bug.cgi?id=108808 and: [13:04] <mibrunin> [16:13:29] milian: I added a comment :) AFAICS, qrc handler is not within the list of handlers as it will always be registered... [13:04] <milian> [16:14:51] hm that shounds odd - shouldn't the qrc scheme be registered explicitly? [13:04] <milian> [16:15:09] otherwise any website could access qrc data of a Qt webbrowser - no? [13:04] <milian> [16:15:24] explicitly == by the user? [13:04] <mibrunin> [16:20:15] milian: you might have a point there, i.e. we might have to add API to enable the qrc handler. however, that is a separate bug. [13:04] <milian> [16:20:45] yeah - but re-registering the qrc handler should be done in my patch? [13:04] <milian> [16:20:56] I can do it, but it feels odd to me - so I wnat to make sure :) [13:04] <mibrunin> [16:21:33] milian: I would say so, otherwise, qrc handling would remain broken after a webprocess relaunch [13:04] <mibrunin> [16:24:03] milian: I'd suggest to do it like this, as otherwise, the qrc scheme handling would work up until a webprocess crash and then cease to work [13:04] <mibrunin> [16:25:07] milian: but good point to have it explicitly enabled / restrict access in some way...
Attachments
Add attachment proposed patch, testcase, etc.
Zeno Albisser
Comment 1 2013-02-15 06:47:24 PST
Hi Milian, I am currently looking into Qt URL Scheme related issues. Including redesigning the current solution to use CustomProtocolManager. So I'll reassign this task to myself. - I hope you don't mind.
Simon Hausmann
Comment 2 2013-02-18 06:22:32 PST
(In reply to comment #0) > Recently QtWebKit started registering the qrc application scheme handler. While this might be neat for many simple apps, it becomes potentially undesired in bigger applications. Especially when you want to encapsulate HTML applications into a Qt app or write a HTML browser, you do not want random websites to access the app-local resources. I'm not sure if unregistering qrc: is the right thing to do. Instead it would seem to me that qrc:/ should be treated with the same "security" eyes as file:/ and is therefore subject to the same limitations, i.e. that remote content cannot access local content. If we can be sure of that, then I don't think we need any configuration option or so.
Milian Wolff
Comment 3 2013-06-04 03:08:25 PDT
Simon, even local "apps" might not be allowed to access qrc/file without limitation. Think of using QtWebKit as a container for HTML apps that are run locally. These are usually still not trusted any more than a normal remote web app. So I still think it should be configurable whether qrc/file is accessible or not to a given WebView.
Jocelyn Turcotte
Comment 4 2014-02-03 03:25:05 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.
Note You need to log in before you can comment on or make changes to this bug.