[webkit-gtk] Exposing enable-web-security through WebKitSettings? (for test harnesses)

Mario Sanchez Prada mario.prada at samsung.com
Tue Mar 18 08:09:15 PDT 2014 

Hi all,

Today I was trying to run the CSS 2.1 suite with MiniBrowser, as described in [1], but could not do it because the test suite would not run due to the following error observed in the JS console:

"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."

That is basically the "same-origin" policy working, which gets honoured internally if the WebSecurityEnabled property is set to true (which is like that by default). Actually, doing a quick check with chromium led to a similar result (test suite not running), but in that case it was easy to overcome the problem since chromium provides a --disable-web-security command line switch that you can use to disable the "same-origin" policy (see [2]).

So, because I'm pretty much interested in running that test suite in WebKit too, I just did some small changes to expose this setting too in WebKit2GTK (I use a "enable-web-security" property) and I was wondering if there would be interest in upstreaming this as part of the WebKitSettings API.

Honestly, I'm not sure how useful exposing this feature would be or how many use cases would benefit of it, but I know of one which is the one I found (test harnesses), which seems to be the primary reason for this setting to exist, as I can red from Document.cpp:

 [...]
 if (Settings* settings = this->settings()) {
     if (!settings->webSecurityEnabled()) {
         // Web security is turned off. We should let this document access every other document. This is used primary by testing
         // harnesses for web sites.
         securityOrigin()->grantUniversalAccess();
     } else if (securityOrigin()->isLocal()) {
         [...]
     }
     [...]
 } 

So, what do you think? I have the patch almost ready (documentation not added yet) in a local branch so I was thinking of filing a bug and attaching it for review unless someone thinks this is not a good idea.

Thanks,
Mario

[1] http://trac.webkit.org/wiki/CSS21Results
[2] http://peter.sh/experiments/chromium-command-line-switches

More information about the webkit-gtk mailing list