From e96f036ac82fd280f1938eaa7a5a8f15fd844325 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <git@the-compiler.org>
Date: Tue, 17 Jul 2018 11:44:57 +0200
Subject: Enable XSS auditing by default

Chromium has XSS auditing enabled by default - it seems like a bad idea for
QtWebEngine to disable a Chromium security feature by default.

The Google design document for the XSS auditor also claims[1]:

    Processing costs are essentially zero unless the URL or POST body includes
    any of the four characters " > < '. When those characters are found, we only
    invoke heavy processing on those attributes that might be dangerous. This
    stands in contrast to the XSS Filter in Internet Explorer, which runs costly
    regular expressions.

Thus, worries about performance issues are likely unsubstantiated.

This can be tested using the first link on [2], where Chromium blocks loading by
default but QtWebEngine did not.

[1] https://www.chromium.org/developers/design-documents/xss-auditor
[2] http://webdbg.com/test/xss/auditor.aspx

[ChangeLog][QtWebEngine] The XSSAuditingEnabled setting is now enabled by
default, to mirror Chromium's behavior.

Change-Id: Id57177ec8183335bc94cc8c0c440ac1e10d2c74f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Leena Miettinen <riitta-leena.miettinen@qt.io>
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 src/core/web_engine_settings.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/core/web_engine_settings.cpp')

diff --git a/src/core/web_engine_settings.cpp b/src/core/web_engine_settings.cpp
index b45d47b46..129a3f01d 100644
--- a/src/core/web_engine_settings.cpp
+++ b/src/core/web_engine_settings.cpp
@@ -262,7 +262,7 @@ void WebEngineSettings::initDefaults()
         s_defaultAttributes.insert(LinksIncludedInFocusChain, true);
         s_defaultAttributes.insert(LocalStorageEnabled, true);
         s_defaultAttributes.insert(LocalContentCanAccessRemoteUrls, false);
-        s_defaultAttributes.insert(XSSAuditingEnabled, false);
+        s_defaultAttributes.insert(XSSAuditingEnabled, true);
         s_defaultAttributes.insert(SpatialNavigationEnabled, false);
         s_defaultAttributes.insert(LocalContentCanAccessFileUrls, true);
         s_defaultAttributes.insert(HyperlinkAuditingEnabled, false);
-- 
cgit v1.2.3