[Webkit-unassigned] [Bug 51159] [Qt] Permit qrc resources to load in QWebSettings::setUserStyleSheetUrl()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 17 09:00:48 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51159
--- Comment #6 from Jarred Nicholls <jarred.nicholls at gmail.com> 2010-12-17 09:00:48 PST ---
(In reply to comment #5)
> > For the same reason you can't open a file:// url from some http:// document, loading
> > a style sheet from a qrc resource should not open any security holes.
>
> My previous question was more: if an app has access to file system, does the patch make it able to access qrc as well?
>
> Looking at the code in WebCore, seems that it is unlikely.
Indeed it is unlikely, since fileSystemPath is not used anywhere else in WebCore, aside from one platform-specific spot that is 1) guarded behind an isLocalFile() check, and 2) can't handle qrc resources anyways :)
With that said, if a resource is local (file, qrc, whatever), then by default they can access each other - anything local on a user's machine is automatically considered to be in the same security origin and is trustworthy. This, however, can be turned off via QWebSettings::LocalContentCanAccessFileUrls.
This would only warrant further discussion if fileSystemPath() was used in critical resource loading functions and SecurityOrigin. Note: resource loading looks to the local scheme registry to determine local vs remote, and qrc is registered by default...just something to consider.
>
>
> In all cases, this definitely needs a test (WebKit/qt/tests).
Definitely. Just curious if this change would fly or not.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list