[webkit-qt] Sending XMLHttpRequests from pages loaded from local URLs to web sites.

Simon Hausmann simon.hausmann at nokia.com
Tue Jan 19 07:17:35 PST 2010


On Saturday 16 January 2010 Gombos Laszlo.1 (Nokia-D/Boston), wrote:
> Simon,
> 
> Carol & I discus this a bit more.
> 
> "GlobalAccess" in the name is a bit misleading as one might relate it to
>  granting all=global access to something, which is not the case.  I think
>  this API works similarly to globalSettings() interface as it sets up
>  access rules for to-be-created pages. I think this should be a static
>  QWebSecurityOrigin function and static also signals that this is "global".
> 
> What about "static QWebSecurityOrigin::addAccessFromOrigin(..).". I do not
>  really have an opinion on the arguments, both proposals (big long one and
>  DomainAccess ) looks good to me.

After a long API discussion here in Oslo we concluded a proposal. I pasted it 
into bugzilla at

	https://bugs.webkit.org/show_bug.cgi?id=31875#c11

-- qwebsecurityorigin.h

class QWebSecurityOrigin {
    ...

    class AccessEntry {
    public:
        AccessEntry();
        AccessEntry(const QString& destination);
        ~AccessEntry();

        QString domain() const { return m_domain; }
        void setDomain(const QString& domain) { m_domain = domain; }

        void setScheme(const QString& scheme) const { m_scheme = scheme; }
        QString scheme() const { return m_scheme; }

        void setAllowSubDomains(bool allow) { m_allowSubDomains = allow; }
        bool allowSubDomains() const { return m_allowSubDomains; }

    private:
        QString m_domain;
        QString m_scheme;
        bool m_allowSubDomains;
        struct Private;
        Private *d;
    };

    ...
    static QList<QWebSecurityOrigin::AccessEntry> crossOriginAccessList(const
QString& origin);
    static void setCrossOriginAccessList(const QString& origin, const
QList<QWebSecurityOrigin::AcessEntry>& list);
    static clearCrossOriginAccessLists();
    ...

-- qwebsecurityorigin.cpp

QWebSecurityOrigin::AccessEntry::AcessEntry()
    : m_allowSubDomains(false)
    , d(0)
{
}

QWebSecurityOrigin::AccessEntry::AcessEntry(const QString& destination)
    : m_allowSubDomains(false)
    , d(0)
{
    RefPtr<SecurityOrigin> dest =
SecurityOrigin::createFromString(destination);
    m_domain = dest.host();
    m_scheme = dest.protocol();
}

QWebSecurityOrigin::AccessEntry::~AcessEntry()
{
    delete d;
}

-- example use-cases

QList<QWebSecurityOrigin::AccessEntry> accessList =
QWebSecuritOrigin::crossOriginAccessList("wheatherwidget.com");

for (...) {
    QWebSecurityOrigin::AccessEntry entry;
    entry.setDomain("google.com");
    entry.setAllowSubDomains(true);

    accessList.append(entry);
}

accessList.append(QWebSecurityOrigin::AccessEntry("https://google.com"));

QWebSecurityOrigin::AccessEntry entry("https://google.com");
entry.setAllowSubDomains(true);
accessList.append(entry);

QWebSecurityOrigin::setCrossOriginAccessList("weatherwidget.com", accessList);

QWebSecurityOrigin::clearCrossOriginAccessLists();


Simon

> -----Original Message-----
> From: webkit-qt-bounces at lists.webkit.org
>  [mailto:webkit-qt-bounces at lists.webkit.org] On Behalf Of Hausmann Simon
>  (Nokia-D-Qt/Oslo) Sent: Friday, January 08, 2010 11:40 AM
> To: webkit-qt at lists.webkit.org
> Subject: Re: [webkit-qt] Sending XMLHttpRequests from pages loaded from
>  local URLs to web sites.
> 
> 
> (Kenneth, Benjamin, Tor Arne, others interested in the API - please
>  comment)
> 
> On Monday 21 December 2009 Szabo Carol (Nokia-D/Boston), wrote:
> > While allowing pages loaded from one security origin to send
> > XMLHttpRequests to URLs located in a different security origin is
> > unsecure  for various reasons and therefore should be forbidden by
> > default, there  are legitimate use cases such as those of Offline
> > Applications and Widgets  that require this feature. WebKit internally
> > supports a static whiteList  that pairs source security origins with
> > ranges of allowed target security  origins. This whieList is privately
> > exposed by the QtWebKit Api for the  use of DumpRenderTree via
> >
> > void QWEBKIT_EXPORT qt_drt_whiteListAccessFromOrigin(const QString&
> > sourceOrigin, const QString& destinationProtocol, const QString&
> > destinationHost, bool allowDestinationSubdomains); void QWEBKIT_EXPORT
> > qt_drt_resetOriginAccessWhiteLists();
> >
> > Since the need for this Api appears to be broad and long term I
> > suggest  making it an official Api. In keeping with other QtWebKit
> > Apis, here is my
> >  proposal:
> 
> I agree, we should try to make it public API.
> 
> > In the current QWebSecurity origin add the following members:
> >
> > static QWebSecurityOrigin* create(const QUrl&);
> >           -- This is needed because all current constructors of
> > QWebSecurity origin are private and none of them takes a Url as an
> > argument. -- Since this pattern is not used in Qt, probably adding a
> > public constructor would be more appropriate. Please vote on this.
> >
> > typedef enum
> > {
> >      DontIncludeSubdomains,
> >      IncludeSubdomains
> > } SubdomainHandling;
> >
> > void addToWhiteList(const QUrl&, SubdomainHandling subdomainHandling =
> > DontIncludeSubdomains); static void clearWhiteLists();
> >
> >         -- These functions implement the currently hidden API.
> >         -- There is a fine point about addToWhiteList:
> >  qt_drt_whiteListAccessFromOrigin ignores *. at the beginning of the
> > hostname, QUrl does not accept host names containing *. This
> > difference in  behavior must be accounted for in DumpRenderTree when
> > making the  transition and may be an issue for users, as code like
> > this
> > page->securityOrigin()->addToWhiteList(QUrl(http://*.google.com"),
> >  QWebSecurityOrigin::IncludeSubDomains); has the most likely
> > unexpected  effect of whitelisting all http websites. an alternative
> > is to use a  version of add to whitelist that is closer to the ultimate
> > implementation: void addToWhiteList(const QString& scheme, const QString&
> > host, SubdomainHandling subdomainHandling = DontIncludeSubdomains);
> 
> With QUrl not accepting "*" in the host name I think it's clear that it's
>  not the right data type to use.
> 
> I remember I opposed to a method that has many arguments, initially. But
>  looking at the resulting code with a member method I'm inclined to change
>  my opinion ;-). Let's compare:
> 
> frame->securityOrigin()->addToWhiteList("http", "*.google.com",
> QWebSecurityOrigin::AllowSubDomains);
> 
> By looking at the code one might believe that this only affects the
>  security origin of the frame, but the call has a global effect!
> 
> What about this API?
> 
> QWebSecurityOrigin::DomainAccess access;
> access.source
> access.scheme = "http";
> access.domain = "*.google.com";
> access.includeSubDomains = true;
> 
> QWebSecurityOrigin::addGlobalAccessFromOrigin("http://foo.webkit.org:80",
> access);
> 
> 
> The alternative remains the big long one, just for comparision:
> 
> QWebSecurityOrigin::addGlobalAccessFromOrigin("http://foo.webkit.org:80",
> "http", "*.google.com", QWebSecurityOrigin::AllowAccessToSubDomains");
> 
> 
> Granted, only few developers will ever write this...
> 
> Simon
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.webkit.org/pipermail/webkit-qt/attachments/20100119/0bcaa957/attachment.bin>


More information about the webkit-qt mailing list