[webkit-qt] [Qt] HTTP header injection vulnerability (QWebPage::userAgentForUrl)

Ariya Hidayat ariya.hidayat at gmail.com
Thu Sep 22 00:16:49 PDT 2011

"vulnerability" is a too strong word for this case.

The way I look it is more like enforcing this contract:

  Setting a user agent should not falsify any other part of the HTTP
header sent to the server.

Note that some advanced QtWebKit-based browser may want to give its
user the option to set a custom user agent. While it does make sense
to enforce that contract at the level of the API user (i.e. in the
said browser), it still does make sense to enforce it also within

Ariya Hidayat, http://ariya.ofilabs.com

More information about the webkit-qt mailing list