Doc: QWebEngineSettings::WebAttribute values provide no safety mechanisms

Task-number: QTBUG-45556
Change-Id: Ifc39eba7f9e9324f180feeb0d99fef1434f97d64
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>

1 files changed, 8 insertions, 1 deletions

diff --git a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
index 3dc23e037..df85c39fb 100644
--- a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
+++ b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc
@@ -99,7 +99,14 @@
     \value  LocalStorageEnabled
             Enables support for the HTML 5 local storage feature. Enabled by default.
     \value  LocalContentCanAccessRemoteUrls
-            Allows locally loaded documents to access remote URLs. Disabled by default.
+            Allows locally loaded documents to ignore cross-origin rules so that they can access
+            remote resources that would normally be blocked, because all remote resources are
+            considered cross-origin for a local file. Remote access that would not be blocked by
+            cross-origin rules is still possible when this setting is disabled (default).
+            Note that disabling this setting does not stop XMLHttpRequests or media elements in
+            local files from accessing remote content. Basically, it only stops some HTML
+            subresources, such as scripts, and therefore disabling this setting is not a safety
+            mechanism.
     \value  XSSAuditingEnabled
             Monitors load requests for cross-site scripting attempts. Suspicious scripts are blocked
             and reported in the inspector's JavaScript console. Disabled by default, because it