diff options
authorLeena Miettinen <>2016-02-03 16:28:47 +0100
committerJani Heikkinen <>2016-02-04 12:58:01 +0000
commit46b561970579c08af6e2b2df0713f84396e0da0d (patch)
parent2fa97ee1ea69024c83968b8b2bbab8d9baffe66b (diff)
Doc: QWebEngineSettings::WebAttribute values provide no safety mechanisms
Task-number: QTBUG-45556 Change-Id: Ifc39eba7f9e9324f180feeb0d99fef1434f97d64 Reviewed-by: Allan Sandfeld Jensen <>
1 files changed, 8 insertions, 1 deletions
diff --git a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
index 3dc23e03..df85c39f 100644
--- a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
+++ b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
@@ -99,7 +99,14 @@
\value LocalStorageEnabled
Enables support for the HTML 5 local storage feature. Enabled by default.
\value LocalContentCanAccessRemoteUrls
- Allows locally loaded documents to access remote URLs. Disabled by default.
+ Allows locally loaded documents to ignore cross-origin rules so that they can access
+ remote resources that would normally be blocked, because all remote resources are
+ considered cross-origin for a local file. Remote access that would not be blocked by
+ cross-origin rules is still possible when this setting is disabled (default).
+ Note that disabling this setting does not stop XMLHttpRequests or media elements in
+ local files from accessing remote content. Basically, it only stops some HTML
+ subresources, such as scripts, and therefore disabling this setting is not a safety
+ mechanism.
\value XSSAuditingEnabled
Monitors load requests for cross-site scripting attempts. Suspicious scripts are blocked
and reported in the inspector's JavaScript console. Disabled by default, because it