We are building an extendable client-server application, where the client is implemented in C++ Qt which allows its users to install plugins on their server and automatically get new UI Widgets inside the Qt client app.
As QML is pretty portable we can transmit the QML Widget code from the server over to the application and run it there. The only problem I'm very concerned about is security!
When we install the plugin, we dont want it to be able to do what ever it wants because we give it access to critical data, we give it certain permissions what it's allowed to do on behalf of the user, and what not, if the plugin for example asks to be able to talk to "example.com" and the user agrees - only then we want the QML code to be able to do XMLHttpRequest's to example.com and/or load images from there embedding URLs in various properties. But in case the QML code tries to communicate with "evil.com" we dont want it to be able to do so!!
After several hours of googling the problem myself I am still unable to find any information on how to actually sandbox portable QML code by for example intercepting network requests and similar. Basically we should remove nearly anything the Qt API has to offer to QML but just for a certain embedded view and then only selectively make certain APIs available based on what permissions this widget has. This is indeed very similar to a regular web browser, we run a QML based client application, and inside there we open QML views which we want to sandbox.
I'd would be great if there's someone out there to help me out!
Maybe there is a way to write a custom QML component in C++ that could sandbox the QML we place in it. I can imagine C++ being flexible enough to define an isolated component. If this is the case then there must be some documentation around this I couldn't find?
I have now found this thread posted 2 years ago which seems very similar to what I was looking for. The solution was to create a new QML component which create a new QML engine instance and isolates the untrusted QML code inside it.
That does isolate the execution context, it does't however monitor the network traffic generated by the component. In my case network communication must be restricted to a certain set of domains, so I need to intercept network going in and out of the component, any idea how?