[webkit-qt] Sending XMLHttpRequests from pages loaded from local URLs to web sites

carol.szabo at nokia.com carol.szabo at nokia.com
Wed Jan 20 10:50:08 PST 2010

I am pasting here the reply I made to Simon's comment on bugs.webkit.org:

I hope you guys realize that this interface cannot be implemented (except in a
hackish way) as a thin wrapper over existing WebCore functionality because
webkit supports a write only API for whitelists.
The WebCore/page/OriginAccessEntry and SecurityOrigin classes will need to be
enriched with code implementing the supporting functionality for this API, or
otherwise duplicate copies need to be kept for the lists associated with every
origin until they are removed.
Also, the crossOriginAccessList function involves returning by value a
structure of significant complexity, which usually involves a lot of copying
and reallocating memory, not a brilliant idea in my opinion, even when the list
is usually small and the function is rarely called.
I suggest changing the crossOriginAccessList function to return a smart pointer
of some kind to the whiteList and adding a constructor to the AccessEntry that
would construct it based on parts retrieved from the WebCore OriginAccessEntry:
scheme, domain, allow subdomains.
If we are to make changes to WebCore, I would argue for adding a port field to
the access entry structure since the SecurityOrigin is also defined by the port
in addition to the host and security.
You realize that in your example with allowSubDomains=false www.google.com
would not be included, as what is called domain, when allowSubDomains is false,
really means virtual host at list for HTTP, that is why I am not sure how to
call this field that has dual meaning.

Before jumping into implementing this thing, I want to test that this is what we really want.
TO put it in exact and simple terms my concerns are:
1. Do we want to enrich the WebCore whitelist support to help us implementing this API correctly?
2. Do we want to return the OriginAccessList by value or by pointer?
3. Do we want to add support for including the port in the Access permission criteria?
4. Shall we continue to call the AccessEntry field domain or is securityDomain any better?

Carol Szabo
Nokia Inc.

After a long API discussion here in Oslo we concluded a proposal. I pasted it 
into bugzilla at


-- qwebsecurityorigin.h

class QWebSecurityOrigin {

    class AccessEntry {
        AccessEntry(const QString& destination);

        QString domain() const { return m_domain; }
        void setDomain(const QString& domain) { m_domain = domain; }

        void setScheme(const QString& scheme) const { m_scheme = scheme; }
        QString scheme() const { return m_scheme; }

        void setAllowSubDomains(bool allow) { m_allowSubDomains = allow; }
        bool allowSubDomains() const { return m_allowSubDomains; }

        QString m_domain;
        QString m_scheme;
        bool m_allowSubDomains;
        struct Private;
        Private *d;

    static QList<QWebSecurityOrigin::AccessEntry> crossOriginAccessList(const
QString& origin);
    static void setCrossOriginAccessList(const QString& origin, const
QList<QWebSecurityOrigin::AcessEntry>& list);
    static clearCrossOriginAccessLists();

-- qwebsecurityorigin.cpp

    : m_allowSubDomains(false)
    , d(0)

QWebSecurityOrigin::AccessEntry::AcessEntry(const QString& destination)
    : m_allowSubDomains(false)
    , d(0)
    RefPtr<SecurityOrigin> dest =
    m_domain = dest.host();
    m_scheme = dest.protocol();

    delete d;

-- example use-cases

QList<QWebSecurityOrigin::AccessEntry> accessList =

for (...) {
    QWebSecurityOrigin::AccessEntry entry;



QWebSecurityOrigin::AccessEntry entry("https://google.com");

QWebSecurityOrigin::setCrossOriginAccessList("weatherwidget.com", accessList);



More information about the webkit-qt mailing list