[webkit-qt] Preventing net access for specific WebView

Thomas McGuire thomas.mcguire at kdab.com
Thu Mar 14 07:10:10 PDT 2013 

Hi,

we're developing a Qt5/QtQtuick2 application that can embed other HTML5 
applications. These HTML5 apps are displayed in QML WebViews.

I'd like to restrict network access in some of the WebViews, while allowing 
network access in others. The only way to get network access on that device is 
via a SOCKS5 proxy running on localhost. So I see two possibility of 
restricting network access:

1) Make some WebViews use the proxy, and making other WebViews not use the 
proxy.
2) Make all WebViews use the proxy but somehow(?) disable network access in 
some of the WebViews by other means.

Right now, the only way to set a proxy at all is via the env vars http_proxy 
and https_proxy. Since there is only one web process with one QNAM, setting 
these env vars means the proxy is set globally, for all WebViews, which would 
rule out 1).

One idea I had to make 1) work is to add additional API to QQuickWebView to 
enabled the ProcessModelMultipleSecondaryProcesses, and then add more API to 
QQuickWebView to set a proxy via API rather than via env vars. That would 
enable to have one web process per WebView, and the proxy could be set per 
WebView, exactly what I needed, although with the unfortunate side effect of 
having many more processes, which on an embedded device is probably not good. 
The other thing is that I heard plans of moving the QNAM to a seperate network 
process, in which case having multiple web processes does not help anyway. 
What is the timeline for having the network process in Qt, btw?


Or maybe there is a way to make 2) work? I tried playing around with settings 
like setAllowUniversalAccessFromFileURLs(false), but that only restricts 
script loading, not all network traffic. Seems like SecurityOrigin is made to 
prevent cross-site stuff, not to prevent network traffic at all. So that 
doesn't seem to work for me. Maybe there are some other means which you know 
about?


I would appreciate any ideas how to restrict network traffic in some specific 
WebViews, but not all. Ideally I would prefer a solution where I can write an 
upstreamable patch. Well better even making this work without a patch :)

Any ideas are welcome, I am that desperate that I even considered creating URL 
scheme delegates for HTTP and HTTPS... 


Regards,
Thomas
-- 
Thomas McGuire | thomas.mcguire at kdab.com | Software Engineer
KDAB (Deutschland) GmbH&Co KG, a KDAB Group company
Tel. Germany +49-30-521325470, Sweden (HQ) +46-563-540090
KDAB - Qt Experts - Platform-independent software solutions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-qt/attachments/20130314/5828f296/attachment.p7s>

More information about the webkit-qt mailing list