Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

Allowing QtWebKit Bridge only for certain documents



  • Hello there,

    I've finally figured out how to open up part of my application to the web via a webkit bridge. Obviously this poses a severe security risk because any website out there could theoretically access parts of my program. I am trying to set up a JavaScript API that can interact with my program, and would be the only one that can call slots in my program. Is there a way to make sure that only certain websites/.js files can interact via the webkit bridge?

    Thanks!



  • A QWebView has a urlChanged signal:

    @void urlChanged(const QUrl & url)@

    You could listen for this, and enable / diable your backend api based on the loaded url, or restrict access.

    Next you can also provide your own QNetworkAccessManager to QWebPage, where you can have full controll over what gets communicated from and to the server. I used this in the past to alter html form data before it gets send.



  • Say I have a .js file, my qt program, and any website. If that website calls functions in the .js file, it would have access to my program, but if it calls functions in my program but not through the .js file it shouldn't work. is this possible?


Log in to reply