Allow XMLHttpRequests from qrc to file

Add test for cross origin XMLHttpRequests from/to custom schemes. By default, this is not allowed, but can be changed by adding an origin access whitelist entry to blink::WebSecurityPolicy in the renderer. Do this for the qrc scheme. As a result SecurityOrigin("qrc").CanRequest("file") will return true, which makes DocumentThreadableLoader::Start disable CORS for the request. Otherwise, CORS would be used, which only works with CORS enabled schemes. Fixes: QTBUG-70228 Change-Id: I2da60fddbbfb490c6d2f03329be286dbc28e1f12 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Jüri Valdmann <juri.valdmann@qt.io> 2018-10-17 10:35:31 +0200
committer: Jüri Valdmann <juri.valdmann@qt.io> 2018-10-18 09:45:25 +0000
commit: 098680710ad3db2e9bd62928a9e2fb1c7cb8c4a9 (patch)
tree: e2ff2f318f569eceb4457aaf35a95bd8774e1151 /tests
parent: 69d8370f5440854c23d20648c9d35096c12426fe (diff)
4 files changed, 60 insertions, 0 deletions
diff --git a/tests/auto/widgets/origins/resources/mixedXHR.html b/tests/auto/widgets/origins/resources/mixedXHR.html
new file mode 100644
index 000000000..3dfd90006
--- /dev/null
+++ b/tests/auto/widgets/origins/resources/mixedXHR.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>Mixed</title>
+        <script>
+         var result;
+         function sendXHR(url) {
+             result = undefined;
+             let req = new XMLHttpRequest();
+             req.addEventListener("load", () => { result = req.responseText });
+             req.addEventListener("error", () => { result = "error"; });
+             req.open("GET", url);
+             req.send();
+         }
+        </script>
+    </head>
+    <body>
+    </body>
+</html>
diff --git a/tests/auto/widgets/origins/resources/mixedXHR.txt b/tests/auto/widgets/origins/resources/mixedXHR.txt
new file mode 100644
index 000000000..b5754e203
--- /dev/null
+++ b/tests/auto/widgets/origins/resources/mixedXHR.txt
@@ -0,0 +1 @@
+ok
+\ No newline at end of file
diff --git a/tests/auto/widgets/origins/tst_origins.cpp b/tests/auto/widgets/origins/tst_origins.cpp
index a24791f6f..4e415af90 100644
--- a/tests/auto/widgets/origins/tst_origins.cpp
+++ b/tests/auto/widgets/origins/tst_origins.cpp
@@ -177,6 +177,7 @@ private Q_SLOTS:
     void subdirWithoutAccess();
     void mixedSchemes();
     void mixedSchemesWithCsp();
+    void mixedXHR();
 #if defined(WEBSOCKETS)
     void webSocket();
 #endif
@@ -479,6 +480,43 @@ void tst_Origins::mixedSchemesWithCsp()
     QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("canLoadButNotAccess")));
 }
 
+// Load the main page over one scheme, then make an XMLHttpRequest to a
+// different scheme.
+//
+// XMLHttpRequests can only be made to http, https, data, and chrome.
+void tst_Origins::mixedXHR()
+{
+    QVERIFY(load(QSL("file:" THIS_DIR "resources/mixedXHR.html")));
+    eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+    eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+    eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+    eval(QSL("sendXHR('data:,ok')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+
+    QVERIFY(load(QSL("qrc:/resources/mixedXHR.html")));
+    eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+    eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+    eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+    eval(QSL("sendXHR('data:,ok')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+
+    QVERIFY(load(QSL("tst:/resources/mixedXHR.html")));
+    eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+    eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+    eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+    eval(QSL("sendXHR('data:,ok')"));
+    QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+}
+
 #if defined(WEBSOCKETS)
 class EchoServer : public QObject {
     Q_OBJECT
diff --git a/tests/auto/widgets/origins/tst_origins.qrc b/tests/auto/widgets/origins/tst_origins.qrc
index 0b1fe2d31..fcf54aaea 100644
--- a/tests/auto/widgets/origins/tst_origins.qrc
+++ b/tests/auto/widgets/origins/tst_origins.qrc
@@ -7,6 +7,8 @@
     <file>resources/mixedSchemes.html</file>
     <file>resources/mixedSchemesWithCsp.html</file>
     <file>resources/mixedSchemes_frame.html</file>
+    <file>resources/mixedXHR.html</file>
+    <file>resources/mixedXHR.txt</file>
     <file>resources/serviceWorker.html</file>
     <file>resources/serviceWorker.js</file>
     <file>resources/sharedWorker.html</file>
author	Jüri Valdmann <juri.valdmann@qt.io>	2018-10-17 10:35:31 +0200
committer	Jüri Valdmann <juri.valdmann@qt.io>	2018-10-18 09:45:25 +0000
commit	098680710ad3db2e9bd62928a9e2fb1c7cb8c4a9 (patch)
tree	e2ff2f318f569eceb4457aaf35a95bd8774e1151 /tests
parent	69d8370f5440854c23d20648c9d35096c12426fe (diff)