[Webkit-unassigned] [Bug 51159] [Qt] Permit qrc resources to load in QWebSettings::setUserStyleSheetUrl()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 16 21:23:05 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51159
--- Comment #4 from Jarred Nicholls <jarred.nicholls at gmail.com> 2010-12-16 21:23:05 PST ---
(In reply to comment #3)
> Is there a security implication of this? For example, can now any application which is granted the access to local file also upload/peek any resource (in particular in a hybrid QtWebKit-based app)?
AFAICT, the answer would be "no". The security worry would be if remote sources could access/open local resources. For the same reason you can't open a file:// url from some http:// document, loading a style sheet from a qrc resource should not open any security holes.
fileSystemPath() is only used in one other location in WebCore, and that is for resource loading in the Windows port. This same function first ensures the resource is a file:// url anyways, so qrc wouldn't even be considered.
But I digress...fileSystemPath is only universally used in this one spot in WebCore; to load a style sheet file.
>
> This static_cast is rather scary. I can't think of a better solution right now :(
The other solution is just a semantic change, doing an implicit cast:
((QUrl)(*this)).toLocalFile();
The method directly proceeding KURLQt::fileSystemPath() is an overloaded cast for KURL -> QUrl.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list