[Webkit-unassigned] [Bug 109934] New: [Qt] qrc application scheme handler cannot be disabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 15 06:31:23 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=109934

           Summary: [Qt] qrc application scheme handler cannot be disabled
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: milian.wolff at kdab.com


Recently QtWebKit started registering the qrc application scheme handler. While this might be neat for many simple apps, it becomes potentially undesired in bigger applications. Especially when you want to encapsulate HTML applications into a Qt app or write a HTML browser, you do not want random websites to access the app-local resources.

Personally I think a way to unregister application scheme handlers could solve this issue but might not be possible due to the static i.e. read-only nature of the urlSchemeDelegates property in QML. Should we instead introduce a new setting such as experimental.enableQRCSchemeDelegate ?

See also https://bugs.webkit.org/show_bug.cgi?id=108808 and:

[13:04] <mibrunin> [16:13:29] milian: I added a comment :) AFAICS, qrc handler is not within the list of handlers as it will always be registered...
[13:04] <milian> [16:14:51] hm that shounds odd - shouldn't the qrc scheme be registered explicitly?
[13:04] <milian> [16:15:09] otherwise any website could access qrc data of a Qt webbrowser - no?
[13:04] <milian> [16:15:24] explicitly == by the user?
[13:04] <mibrunin> [16:20:15] milian: you might have a point there, i.e. we might have to add API to enable the qrc handler. however, that is a separate bug.
[13:04] <milian> [16:20:45] yeah - but re-registering the qrc handler should be done in my patch?
[13:04] <milian> [16:20:56] I can do it, but it feels odd to me - so I wnat to make sure :)
[13:04] <mibrunin> [16:21:33] milian: I would say so, otherwise, qrc handling would remain broken after a webprocess relaunch
[13:04] <mibrunin> [16:24:03] milian: I'd suggest to do it like this, as otherwise, the qrc scheme handling would work up until a webprocess crash and then cease to work
[13:04] <mibrunin> [16:25:07] milian: but good point to have it explicitly enabled / restrict access in some way...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list