https://bugs.kde.org/show_bug.cgi?id=431218
--- Comment #3 from Timo Weingärtner <t...@tiwe.de> ---
I sent you a test case in private mail.
When reading your patch and the surrounding code it looks like only some
(images, now also fonts) request types are blacklisted. What about external
style sheets or other types that might grow in HTML-land? Are there any
external requests you think should be allowed?
Regarding URL schemes: why is file:// allowed? I could think of some social
engineering attacks that might work by including files from the victims
computer. I would read "external request" as external to the e-mail in
question.
To me the function could be as simple as:
----8<----8<----
bool
LoadExternalReferencesUrlInterceptor::interceptRequest(QWebEngineUrlRequestInfo
&info)
{
if (mAllowLoadExternalReference) {
return false;
}
const QString scheme = info.requestUrl().scheme();
if (scheme == QLatin1String("data")
|| scheme == QLatin1String("cid")) {
return false;
}
return true;
}
----8<----8<----
--
You are receiving this mail because:
You are watching all bug changes.
