diff options
| author | Florian Bruhin <git@the-compiler.org> | 2018-07-17 11:44:57 +0200 |
|---|---|---|
| committer | Florian Bruhin <qt-project.org@the-compiler.org> | 2018-07-19 15:27:22 +0000 |
| commit | e96f036ac82fd280f1938eaa7a5a8f15fd844325 (patch) | |
| tree | 70c7061773284e733cbad6009efb66271d79f1a7 /src | |
| parent | df3681dc6c401f3cebb6e767ef8b8ca4e1a8260b (diff) | |
Enable XSS auditing by default
Chromium has XSS auditing enabled by default - it seems like a bad idea for
QtWebEngine to disable a Chromium security feature by default.
The Google design document for the XSS auditor also claims[1]:
Processing costs are essentially zero unless the URL or POST body includes
any of the four characters " > < '. When those characters are found, we only
invoke heavy processing on those attributes that might be dangerous. This
stands in contrast to the XSS Filter in Internet Explorer, which runs costly
regular expressions.
Thus, worries about performance issues are likely unsubstantiated.
This can be tested using the first link on [2], where Chromium blocks loading by
default but QtWebEngine did not.
[1] https://www.chromium.org/developers/design-documents/xss-auditor
[2] http://webdbg.com/test/xss/auditor.aspx
[ChangeLog][QtWebEngine] The XSSAuditingEnabled setting is now enabled by
default, to mirror Chromium's behavior.
Change-Id: Id57177ec8183335bc94cc8c0c440ac1e10d2c74f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Leena Miettinen <riitta-leena.miettinen@qt.io>
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/web_engine_settings.cpp | 2 | ||||
| -rw-r--r-- | src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc | 3 |
2 files changed, 2 insertions, 3 deletions
diff --git a/src/core/web_engine_settings.cpp b/src/core/web_engine_settings.cpp index b45d47b46..129a3f01d 100644 --- a/src/core/web_engine_settings.cpp +++ b/src/core/web_engine_settings.cpp @@ -262,7 +262,7 @@ void WebEngineSettings::initDefaults() s_defaultAttributes.insert(LinksIncludedInFocusChain, true); s_defaultAttributes.insert(LocalStorageEnabled, true); s_defaultAttributes.insert(LocalContentCanAccessRemoteUrls, false); - s_defaultAttributes.insert(XSSAuditingEnabled, false); + s_defaultAttributes.insert(XSSAuditingEnabled, true); s_defaultAttributes.insert(SpatialNavigationEnabled, false); s_defaultAttributes.insert(LocalContentCanAccessFileUrls, true); s_defaultAttributes.insert(HyperlinkAuditingEnabled, false); diff --git a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc index fde39fbba..18187d86e 100644 --- a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc +++ b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc @@ -113,8 +113,7 @@ mechanism. \value XSSAuditingEnabled Monitors load requests for cross-site scripting attempts. Suspicious scripts are blocked - and reported in the inspector's JavaScript console. Disabled by default, because it - might negatively affect performance. + and reported in the inspector's JavaScript console. Enabled by default. \value SpatialNavigationEnabled Enables the Spatial Navigation feature, which means the ability to navigate between focusable elements, such as hyperlinks and form controls, on a web page by using the |