diff options
| author | Jüri Valdmann <juri.valdmann@qt.io> | 2018-07-19 10:54:33 +0200 |
|---|---|---|
| committer | Jüri Valdmann <juri.valdmann@qt.io> | 2018-07-20 09:39:51 +0000 |
| commit | 8f914155c4d32fd8befa01c6cc09957d082ca7fe (patch) | |
| tree | 15b9d5cb0ba53e9ecceefd73c5dc7833b62167e0 /src/core/api | |
| parent | 2d3afea3c0a1d56b62fbd28d0a49a64c06857eb1 (diff) | |
QWebEngineUrlRequestJob: QUrl("null") for unique initiator origins
The empty URL is used both for representing a missing origin (browser-initiated
navigation request) and a unique/opaque origin. This is problematic since the
security implications are very different in these two cases: browser-initiated
requests usually should have high security clearance, while requests from unique
origins should be restricted.
Task-number: QTBUG-69372
Change-Id: Iff73fd1c9a29f1c5c281a8945536333081ff2d6b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src/core/api')
| -rw-r--r-- | src/core/api/qwebengineurlrequestjob.cpp | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/core/api/qwebengineurlrequestjob.cpp b/src/core/api/qwebengineurlrequestjob.cpp index c028a1167..f741b88e8 100644 --- a/src/core/api/qwebengineurlrequestjob.cpp +++ b/src/core/api/qwebengineurlrequestjob.cpp @@ -115,9 +115,24 @@ QByteArray QWebEngineUrlRequestJob::requestMethod() const /*! \since 5.11 - Returns the origin URL of the content that initiated the request. If the - request was not initiated by web content the function will return an - empty QUrl. + Returns the serialized origin of the content that initiated the request. + + Generally, the origin consists of a scheme, hostname, and port. For example, + \c "http://localhost:8080" would be a valid origin. The port is omitted if + it is the scheme's default port (80 for \c http, 443 for \c https). The + hostname is omitted for non-network schemes such as \c file and \c qrc. + + However, there is also the special value \c "null" representing a unique + origin. It is, for example, the origin of a sandboxed iframe. The purpose of + this special origin is to be always different from all other origins in the + same-origin check. In other words, content with a unique origin should never + have privileged access to any other content. + + Finally, if the request was not initiated by web content, the function will + return an empty QUrl. This happens, for example, when you call \l + QWebEnginePage::setUrl(). + + This value can be used for implementing secure cross-origin checks. */ QUrl QWebEngineUrlRequestJob::initiator() const { |