[webkit-qt] Interfaces to whitelist origins in QtWebkit API (your thoughts please!)

Saha, Deepjyoti DeepjyotiS at nds.com
Wed Mar 20 21:09:14 PDT 2013



Hi Jocelyn,

Thanks for the response! :-)

Yes, even I feel that these API's can be implemented as static functions and I would like to submit a patch for this.
But it can be done in QWebSecurityOrigin (as you suggested) or be implemented in a new class "QWebSecurityPolicy" (to maintain the coherence between classes in QtWebkit and WebCore) ?
Please let me know your opinion.

I checked the bug you mentioned:
https://bugs.webkit.org/show_bug.cgi?id=31875 (Impossible to make XMLHttpRequest from locally stored HTML page)
So this patch can be submiited under the existing bug report itself correct ?



Regards,
Deepjyoti Saha


-----Original Message-----
From: Jocelyn Turcotte [mailto:jocelyn.turcotte at digia.com]
Sent: Wednesday, March 20, 2013 10:17 PM
To: Saha, Deepjyoti
Cc: webkit-qt at lists.webkit.org
Subject: Re: [webkit-qt] Interfaces to whitelist origins in QtWebkit API (your thoughts please!)

On Wed, Mar 20, 2013 at 05:06:01PM +0100, Jocelyn Turcotte wrote:
> Hello,
>
> On Fri, Mar 15, 2013 at 10:40:35AM +0000, Saha, Deepjyoti wrote:
> > The QtWebkit API set in Qt 4.8 does not contain any intefraces which could allow a QtWebkit based browser to add/remove specific domains to be whitelisted for cross origin requests.  I understand that previosly these API's were exposed through the intefraces in "QWebSecurityOrigin" which invoked the  API's in WebCore's SecurityOrigin class. But currently the API's to add/remove a whitelist entry are exposed through WebCore's SecurityPolicy class and there are no interfaces in QtWebkit API to invoke the same.
> >
> > I aslo noticed there was a bug raised and it was discussed in the following thread:
> > https://bugreports.qt-project.org/browse/QTWEBKIT-24?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel
> >
> > But it has not been implemented yet. It would be great if you could let me could know of any particluar reason this was not taken up ?
> > To be specific were there any concerns from the  security standpoint on exposing such interfaces ?
>
> I think that just nobody had enough interest to fix it, yet :)
>
> I personally think that this could be implemented as static functions of QWebSecurityOrigin, similar to addLocalScheme and removeLocalScheme. Other people might have better idea but if not now, this could be a good starting point at least.
>

Allan just pointed me that your bug report points to https://bugs.webkit.org/show_bug.cgi?id=31875 where we already have a similar unfinished implementation.
I believe it got forgotten out of other tasks getting in the way, but it should be possible to start again from there.

Cheers,
Jocelyn

________________________________

This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the postmaster at nds.com and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by NDS for employment and security purposes.
To protect the environment please do not print this e-mail unless necessary.

An NDS Group Limited company. www.nds.com


More information about the webkit-qt mailing list