From 098680710ad3db2e9bd62928a9e2fb1c7cb8c4a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCri=20Valdmann?= <juri.valdmann@qt.io>
Date: Wed, 17 Oct 2018 10:35:31 +0200
Subject: [PATCH] Allow XMLHttpRequests from qrc to file
Add test for cross origin XMLHttpRequests from/to custom schemes. By default,
this is not allowed, but can be changed by adding an origin access whitelist
entry to blink::WebSecurityPolicy in the renderer.
Do this for the qrc scheme. As a result SecurityOrigin("qrc").CanRequest("file")
will return true, which makes DocumentThreadableLoader::Start disable CORS for
the request. Otherwise, CORS would be used, which only works with CORS enabled
schemes.
Fixes: QTBUG-70228
Change-Id: I2da60fddbbfb490c6d2f03329be286dbc28e1f12
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
.../renderer/content_renderer_client_qt.cpp | 7 ++++
.../widgets/origins/resources/mixedXHR.html | 19 ++++++++++
.../widgets/origins/resources/mixedXHR.txt | 1 +
tests/auto/widgets/origins/tst_origins.cpp | 38 +++++++++++++++++++
tests/auto/widgets/origins/tst_origins.qrc | 2 +
5 files changed, 67 insertions(+)
create mode 100644 tests/auto/widgets/origins/resources/mixedXHR.html
create mode 100644 tests/auto/widgets/origins/resources/mixedXHR.txt
diff --git a/src/core/renderer/content_renderer_client_qt.cpp b/src/core/renderer/content_renderer_client_qt.cpp
index 76baf131b..3eda3993a 100644
--- a/src/core/renderer/content_renderer_client_qt.cpp
+++ b/src/core/renderer/content_renderer_client_qt.cpp
@@ -69,6 +69,8 @@
#include "services/service_manager/public/cpp/service_context.h"
#include "third_party/blink/public/platform/web_url_error.h"
#include "third_party/blink/public/platform/web_url_request.h"
+#include "third_party/blink/public/web/web_security_policy.h"
+#include "third_party/blink/renderer/platform/weborigin/kurl.h"
#include "ui/base/resource/resource_bundle.h"
#include "ui/base/webui/jstemplate_builder.h"
#include "content/public/common/web_preferences.h"
@@ -131,6 +133,11 @@ void ContentRendererClientQt::RenderThreadStarted()
if (!m_spellCheck)
InitSpellCheck();
#endif
+
+ // Allow XMLHttpRequests from qrc to file.
+ blink::WebURL qrc(blink::KURL("qrc:"));
+ blink::WebString file(blink::WebString::FromASCII("file"));
+ blink::WebSecurityPolicy::AddOriginAccessWhitelistEntry(qrc, file, blink::WebString(), true);
}
void ContentRendererClientQt::RenderViewCreated(content::RenderView* render_view)
diff --git a/tests/auto/widgets/origins/resources/mixedXHR.html b/tests/auto/widgets/origins/resources/mixedXHR.html
new file mode 100644
index 000000000..3dfd90006
--- /dev/null
+++ b/tests/auto/widgets/origins/resources/mixedXHR.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Mixed</title>
+ <script>
+ var result;
+ function sendXHR(url) {
+ result = undefined;
+ let req = new XMLHttpRequest();
+ req.addEventListener("load", () => { result = req.responseText });
+ req.addEventListener("error", () => { result = "error"; });
+ req.open("GET", url);
+ req.send();
+ }
+ </script>
+ </head>
+ <body>
+ </body>
+</html>
diff --git a/tests/auto/widgets/origins/resources/mixedXHR.txt b/tests/auto/widgets/origins/resources/mixedXHR.txt
new file mode 100644
index 000000000..b5754e203
--- /dev/null
+++ b/tests/auto/widgets/origins/resources/mixedXHR.txt
@@ -0,0 +1 @@
+ok
\ No newline at end of file
diff --git a/tests/auto/widgets/origins/tst_origins.cpp b/tests/auto/widgets/origins/tst_origins.cpp
index a24791f6f..4e415af90 100644
--- a/tests/auto/widgets/origins/tst_origins.cpp
+++ b/tests/auto/widgets/origins/tst_origins.cpp
@@ -177,6 +177,7 @@ private Q_SLOTS:
void subdirWithoutAccess();
void mixedSchemes();
void mixedSchemesWithCsp();
+ void mixedXHR();
#if defined(WEBSOCKETS)
void webSocket();
#endif
@@ -479,6 +480,43 @@ void tst_Origins::mixedSchemesWithCsp()
QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("canLoadButNotAccess")));
}
+// Load the main page over one scheme, then make an XMLHttpRequest to a
+// different scheme.
+//
+// XMLHttpRequests can only be made to http, https, data, and chrome.
+void tst_Origins::mixedXHR()
+{
+ QVERIFY(load(QSL("file:" THIS_DIR "resources/mixedXHR.html")));
+ eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+ eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+ eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+ eval(QSL("sendXHR('data:,ok')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+
+ QVERIFY(load(QSL("qrc:/resources/mixedXHR.html")));
+ eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+ eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+ eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+ eval(QSL("sendXHR('data:,ok')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+
+ QVERIFY(load(QSL("tst:/resources/mixedXHR.html")));
+ eval(QSL("sendXHR('file:" THIS_DIR "resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+ eval(QSL("sendXHR('qrc:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("error")));
+ eval(QSL("sendXHR('tst:/resources/mixedXHR.txt')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+ eval(QSL("sendXHR('data:,ok')"));
+ QTRY_COMPARE(eval(QSL("result")), QVariant(QSL("ok")));
+}
+
#if defined(WEBSOCKETS)
class EchoServer : public QObject {
Q_OBJECT
diff --git a/tests/auto/widgets/origins/tst_origins.qrc b/tests/auto/widgets/origins/tst_origins.qrc
index 0b1fe2d31..fcf54aaea 100644
--- a/tests/auto/widgets/origins/tst_origins.qrc
+++ b/tests/auto/widgets/origins/tst_origins.qrc
@@ -7,6 +7,8 @@
<file>resources/mixedSchemes.html</file>
<file>resources/mixedSchemesWithCsp.html</file>
<file>resources/mixedSchemes_frame.html</file>
+ <file>resources/mixedXHR.html</file>
+ <file>resources/mixedXHR.txt</file>
<file>resources/serviceWorker.html</file>
<file>resources/serviceWorker.js</file>
<file>resources/sharedWorker.html</file>
--
GitLab