Help/QtWebEngine: Prevent remote content

Showing remote content adds security implications

Change-Id: I0b5672d9c814b55aca05ea8a28da4f5e0e9f42fd
Reviewed-by: hjk <hjk@qt.io>

3 files changed, 67 insertions, 3 deletions

diff --git a/src/plugins/help/localhelpmanager.cpp b/src/plugins/help/localhelpmanager.cpp
index fb9609eec6..07ab621ccc 100644
--- a/src/plugins/help/localhelpmanager.cpp
+++ b/src/plugins/help/localhelpmanager.cpp
@@ -33,6 +33,7 @@
 
 #ifdef QTC_WEBENGINE_HELPVIEWER
 #include "webenginehelpviewer.h"
+#include <QWebEngineUrlScheme>
 #endif
 #ifdef QTC_LITEHTML_HELPVIEWER
 #include "litehtmlhelpviewer.h"
@@ -323,6 +324,13 @@ QVector<HelpViewerFactory> LocalHelpManager::viewerBackends()
 {
     QVector<HelpViewerFactory> result;
 #ifdef QTC_WEBENGINE_HELPVIEWER
+    static bool schemeRegistered = false;
+    if (!schemeRegistered) {
+        schemeRegistered = true;
+        QWebEngineUrlScheme scheme("qthelp");
+        scheme.setFlags(QWebEngineUrlScheme::LocalScheme | QWebEngineUrlScheme::LocalAccessAllowed);
+        QWebEngineUrlScheme::registerScheme(scheme);
+    }
     result.append(
         {kQtWebEngineBackend, tr("QtWebEngine"), []() { return new WebEngineHelpViewer; }});
 #endif
diff --git a/src/plugins/help/webenginehelpviewer.cpp b/src/plugins/help/webenginehelpviewer.cpp
index 197f356d79..736d4e6902 100644
--- a/src/plugins/help/webenginehelpviewer.cpp
+++ b/src/plugins/help/webenginehelpviewer.cpp
@@ -34,6 +34,7 @@
 #include <QBuffer>
 #include <QContextMenuEvent>
 #include <QCoreApplication>
+#include <QDesktopServices>
 #include <QTimer>
 #include <QVBoxLayout>
 #include <QWebEngineContextMenuData>
@@ -72,10 +73,40 @@ static HelpUrlSchemeHandler *helpUrlSchemeHandler()
     return schemeHandler;
 }
 
+HelpUrlRequestInterceptor::HelpUrlRequestInterceptor(QObject *parent)
+    : QWebEngineUrlRequestInterceptor(parent)
+{}
+
+void HelpUrlRequestInterceptor::interceptRequest(QWebEngineUrlRequestInfo &info)
+{
+    if (!HelpViewer::isLocalUrl(info.requestUrl())
+        && info.navigationType() != QWebEngineUrlRequestInfo::NavigationTypeLink) {
+        info.block(true);
+    }
+}
+
+static HelpUrlRequestInterceptor *helpurlRequestInterceptor()
+{
+    static HelpUrlRequestInterceptor *interceptor = nullptr;
+    if (!interceptor)
+        interceptor = new HelpUrlRequestInterceptor(LocalHelpManager::instance());
+    return interceptor;
+}
+
 WebEngineHelpViewer::WebEngineHelpViewer(QWidget *parent) :
     HelpViewer(parent),
     m_widget(new WebView(this))
 {
+    // some of these should already be that way by default, but better be sure
+    QWebEngineSettings *settings = m_widget->settings();
+    settings->setAttribute(QWebEngineSettings::JavascriptCanOpenWindows, false);
+    settings->setAttribute(QWebEngineSettings::LocalContentCanAccessRemoteUrls, false);
+    settings->setAttribute(QWebEngineSettings::XSSAuditingEnabled, true);
+    settings->setAttribute(QWebEngineSettings::PluginsEnabled, false);
+    settings->setAttribute(QWebEngineSettings::AllowRunningInsecureContent, false);
+    settings->setAttribute(QWebEngineSettings::AllowGeolocationOnInsecureOrigins, false);
+    settings->setAttribute(QWebEngineSettings::AllowWindowActivationFromJavaScript, false);
+
     m_widget->setPage(new WebEngineHelpPage(this));
     auto layout = new QVBoxLayout;
     setLayout(layout);
@@ -121,6 +152,7 @@ WebEngineHelpViewer::WebEngineHelpViewer(QWidget *parent) :
     QTC_ASSERT(viewProfile, return);
     if (!viewProfile->urlSchemeHandler("qthelp"))
         viewProfile->installUrlSchemeHandler("qthelp", helpUrlSchemeHandler());
+    viewProfile->setUrlRequestInterceptor(helpurlRequestInterceptor());
 }
 
 QFont WebEngineHelpViewer::viewerFont() const
@@ -286,12 +318,23 @@ WebEngineHelpPage::WebEngineHelpPage(QObject *parent)
 {
 }
 
-WebView::WebView(WebEngineHelpViewer *viewer)
-    : QWebEngineView(viewer),
-      m_viewer(viewer)
+bool WebEngineHelpPage::acceptNavigationRequest(const QUrl &url,
+                                                QWebEnginePage::NavigationType type,
+                                                bool isMainFrame)
 {
+    Q_UNUSED(type)
+    Q_UNUSED(isMainFrame)
+    if (HelpViewer::isLocalUrl(url))
+        return true;
+    QDesktopServices::openUrl(url);
+    return false;
 }
 
+WebView::WebView(WebEngineHelpViewer *viewer)
+    : QWebEngineView(viewer)
+    , m_viewer(viewer)
+{}
+
 bool WebView::event(QEvent *ev)
 {
     // work around QTBUG-43602
diff --git a/src/plugins/help/webenginehelpviewer.h b/src/plugins/help/webenginehelpviewer.h
index f781889108..259bc571a9 100644
--- a/src/plugins/help/webenginehelpviewer.h
+++ b/src/plugins/help/webenginehelpviewer.h
@@ -27,6 +27,7 @@
 
 #include "helpviewer.h"
 
+#include <QWebEngineUrlRequestInterceptor>
 #include <QWebEngineUrlSchemeHandler>
 #include <QWebEngineView>
 
@@ -42,10 +43,22 @@ public:
     void requestStarted(QWebEngineUrlRequestJob *job) override;
 };
 
+class HelpUrlRequestInterceptor : public QWebEngineUrlRequestInterceptor
+{
+public:
+    explicit HelpUrlRequestInterceptor(QObject *parent = nullptr);
+    void interceptRequest(QWebEngineUrlRequestInfo &info) override;
+};
+
 class WebEngineHelpPage : public QWebEnginePage
 {
 public:
     explicit WebEngineHelpPage(QObject *parent = nullptr);
+
+protected:
+    bool acceptNavigationRequest(const QUrl &url,
+                                 QWebEnginePage::NavigationType type,
+                                 bool isMainFrame) override;
 };
 
 class WebView : public QWebEngineView