[webkit-qt] Sending XMLHttpRequests from pages loaded from local URLs to web sites.

carol.szabo at nokia.com carol.szabo at nokia.com
Mon Dec 21 11:25:49 PST 2009 

While allowing pages loaded from one security origin to send XMLHttpRequests to URLs located in a different security origin is unsecure for various reasons and therefore should be forbidden by default, there are legitimate use cases such as those of Offline Applications and Widgets that require this feature.
WebKit internally supports a static whiteList that pairs source security origins with ranges of allowed target security origins.
This whieList is privately exposed by the QtWebKit Api for the use of DumpRenderTree via

void QWEBKIT_EXPORT qt_drt_whiteListAccessFromOrigin(const QString& sourceOrigin, const QString& destinationProtocol, const QString& destinationHost, bool allowDestinationSubdomains);
void QWEBKIT_EXPORT qt_drt_resetOriginAccessWhiteLists();

Since the need for this Api appears to be broad and long term I suggest making it an official Api. In keeping with other QtWebKit Apis, here is my proposal:

In the current QWebSecurity origin add the following members:

static QWebSecurityOrigin* create(const QUrl&);
          -- This is needed because all current constructors of QWebSecurity origin are private and none of them takes a Url as an argument.
          -- Since this pattern is not used in Qt, probably adding a public constructor would be more appropriate. Please vote on this.

typedef enum
{
     DontIncludeSubdomains,
     IncludeSubdomains
} SubdomainHandling;

void addToWhiteList(const QUrl&, SubdomainHandling subdomainHandling = DontIncludeSubdomains);
static void clearWhiteLists();

        -- These functions implement the currently hidden API.
        -- There is a fine point about addToWhiteList:  qt_drt_whiteListAccessFromOrigin ignores *. at the beginning of the hostname, QUrl does not accept host names containing *. This difference in behavior must be accounted for in DumpRenderTree when making the transition and may be an issue for users, as code like this
       page->securityOrigin()->addToWhiteList(QUrl(http://*.google.com"), QWebSecurityOrigin::IncludeSubDomains);
has the most likely unexpected effect of whitelisting all http websites.
an alternative is to use a version of add to whitelist that is closer to the ultimate implementation:
void addToWhiteList(const QString& scheme, const QString& host, SubdomainHandling subdomainHandling = DontIncludeSubdomains);

Please comment on the above solution, especially about the items in question: pick, agree, object and/or propose improvements.
Thank you,
Carol Szabo

More information about the webkit-qt mailing list