[webkit-qt] Interfaces to whitelist origins in QtWebkit API (your thoughts please!)

Jocelyn Turcotte jocelyn.turcotte at digia.com
Wed Mar 20 09:47:03 PDT 2013


On Wed, Mar 20, 2013 at 05:06:01PM +0100, Jocelyn Turcotte wrote:
> Hello,
> 
> On Fri, Mar 15, 2013 at 10:40:35AM +0000, Saha, Deepjyoti wrote:
> > The QtWebkit API set in Qt 4.8 does not contain any intefraces which could allow a QtWebkit based browser to add/remove specific domains to be whitelisted for cross origin requests.  I understand that previosly these API's were exposed through the intefraces in "QWebSecurityOrigin" which invoked the  API's in WebCore's SecurityOrigin class. But currently the API's to add/remove a whitelist entry are exposed through WebCore's SecurityPolicy class and there are no interfaces in QtWebkit API to invoke the same.
> > 
> > I aslo noticed there was a bug raised and it was discussed in the following thread:
> > https://bugreports.qt-project.org/browse/QTWEBKIT-24?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel
> > 
> > But it has not been implemented yet. It would be great if you could let me could know of any particluar reason this was not taken up ?
> > To be specific were there any concerns from the  security standpoint on exposing such interfaces ?
> 
> I think that just nobody had enough interest to fix it, yet :)
> 
> I personally think that this could be implemented as static functions of QWebSecurityOrigin, similar to addLocalScheme and removeLocalScheme. Other people might have better idea but if not now, this could be a good starting point at least.
> 

Allan just pointed me that your bug report points to https://bugs.webkit.org/show_bug.cgi?id=31875 where we already have a similar unfinished implementation.
I believe it got forgotten out of other tasks getting in the way, but it should be possible to start again from there.

Cheers,
Jocelyn


More information about the webkit-qt mailing list