[webkit-gtk] Exposing enable-web-security through WebKitSettings? (for test harnesses)

Sven Schwedas sven.schwedas at tao.at
Tue Mar 18 08:13:33 PDT 2014 

Hi,

On 2014-03-18 16:09, Mario Sanchez Prada wrote:
> Hi all,
> 
> Today I was trying to run the CSS 2.1 suite with MiniBrowser, as described in [1], but could not do it because the test suite would not run due to the following error observed in the JS console:
> 
> "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."
> 
> That is basically the "same-origin" policy working, which gets honoured internally if the WebSecurityEnabled property is set to true (which is like that by default). Actually, doing a quick check with chromium led to a similar result (test suite not running), but in that case it was easy to overcome the problem since chromium provides a --disable-web-security command line switch that you can use to disable the "same-origin" policy (see [2]).
> 
> So, because I'm pretty much interested in running that test suite in WebKit too, I just did some small changes to expose this setting too in WebKit2GTK (I use a "enable-web-security" property) and I was wondering if there would be interest in upstreaming this as part of the WebKitSettings API.
> 
> Honestly, I'm not sure how useful exposing this feature would be or how many use cases would benefit of it, but I know of one which is the one I found (test harnesses), which seems to be the primary reason for this setting to exist, as I can red from Document.cpp:
> 
>  [...]
>  if (Settings* settings = this->settings()) {
>      if (!settings->webSecurityEnabled()) {
>          // Web security is turned off. We should let this document access every other document. This is used primary by testing
>          // harnesses for web sites.
>          securityOrigin()->grantUniversalAccess();
>      } else if (securityOrigin()->isLocal()) {
>          [...]
>      }
>      [...]
>  } 
> 
> So, what do you think? I have the patch almost ready (documentation not added yet) in a local branch so I was thinking of filing a bug and attaching it for review unless someone thinks this is not a good idea.

I'd really appreciate it, we're using Chromium with this to locally test
web applications. Being able to use (Py)WebkitGTK would make testing a
lot easier. :-)

> Thanks,
> Mario
> 
> [1] http://trac.webkit.org/wiki/CSS21Results
> [2] http://peter.sh/experiments/chromium-command-line-switches
> 
> _______________________________________________
> webkit-gtk mailing list
> webkit-gtk at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-gtk
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20140318/541743c0/attachment.sig>

More information about the webkit-gtk mailing list