From 46b561970579c08af6e2b2df0713f84396e0da0d Mon Sep 17 00:00:00 2001 From: Leena Miettinen Date: Wed, 3 Feb 2016 16:28:47 +0100 Subject: Doc: QWebEngineSettings::WebAttribute values provide no safety mechanisms Task-number: QTBUG-45556 Change-Id: Ifc39eba7f9e9324f180feeb0d99fef1434f97d64 Reviewed-by: Allan Sandfeld Jensen --- src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc index 3dc23e037..df85c39fb 100644 --- a/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc +++ b/src/webenginewidgets/doc/src/qwebenginesettings_lgpl.qdoc @@ -99,7 +99,14 @@ \value LocalStorageEnabled Enables support for the HTML 5 local storage feature. Enabled by default. \value LocalContentCanAccessRemoteUrls - Allows locally loaded documents to access remote URLs. Disabled by default. + Allows locally loaded documents to ignore cross-origin rules so that they can access + remote resources that would normally be blocked, because all remote resources are + considered cross-origin for a local file. Remote access that would not be blocked by + cross-origin rules is still possible when this setting is disabled (default). + Note that disabling this setting does not stop XMLHttpRequests or media elements in + local files from accessing remote content. Basically, it only stops some HTML + subresources, such as scripts, and therefore disabling this setting is not a safety + mechanism. \value XSSAuditingEnabled Monitors load requests for cross-site scripting attempts. Suspicious scripts are blocked and reported in the inspector's JavaScript console. Disabled by default, because it -- cgit v1.2.3