From 542185386d4929cc2a9326f06b36f66f097fba16 Mon Sep 17 00:00:00 2001 From: Martin Negyokru Date: Wed, 30 Apr 2025 13:36:55 +0200 Subject: [PATCH 1/5] Support chrome.system.display Add simple wrapper for DisplayInfoProvider to make it default constructable. Pick-to: 6.10 Task-number: QTBUG-61676 Change-Id: I3bcb37e7fc687e2226631d2b1a6875383e0bf469 Reviewed-by: Allan Sandfeld Jensen --- src/core/CMakeLists.txt | 1 + .../extensions/api/display_info_provider_qt.cpp | 6 ++++++ .../extensions/api/display_info_provider_qt.h | 15 +++++++++++++++ src/core/extensions/extensions_api_client_qt.cpp | 7 +++++++ src/core/extensions/extensions_api_client_qt.h | 2 ++ 5 files changed, 31 insertions(+) create mode 100644 src/core/extensions/api/display_info_provider_qt.cpp create mode 100644 src/core/extensions/api/display_info_provider_qt.h diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt index b1298482063..d3ae5303c15 100644 --- a/src/core/CMakeLists.txt +++ b/src/core/CMakeLists.txt @@ -275,6 +275,7 @@ foreach(arch ${archs}) SOURCES common/extensions/extensions_api_provider_qt.cpp common/extensions/extensions_api_provider_qt.h common/extensions/extensions_client_qt.cpp common/extensions/extensions_client_qt.h + extensions/api/display_info_provider_qt.cpp extensions/api/display_info_provider_qt.h extensions/api/runtime_api_delegate_qt.cpp extensions/api/runtime_api_delegate_qt.h extensions/component_extension_resource_manager_qt.cpp extensions/component_extension_resource_manager_qt.h extensions/extension_action_manager.cpp extensions/extension_action_manager.h diff --git a/src/core/extensions/api/display_info_provider_qt.cpp b/src/core/extensions/api/display_info_provider_qt.cpp new file mode 100644 index 00000000000..2b9de29365e --- /dev/null +++ b/src/core/extensions/api/display_info_provider_qt.cpp @@ -0,0 +1,6 @@ +// Copyright (C) 2025 The Qt Company Ltd. +// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only + +#include "display_info_provider_qt.h" + +DisplayInfoProviderQt::DisplayInfoProviderQt() = default; diff --git a/src/core/extensions/api/display_info_provider_qt.h b/src/core/extensions/api/display_info_provider_qt.h new file mode 100644 index 00000000000..4df05b0a7e7 --- /dev/null +++ b/src/core/extensions/api/display_info_provider_qt.h @@ -0,0 +1,15 @@ +// Copyright (C) 2025 The Qt Company Ltd. +// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only + +#ifndef DISPLAY_INFO_PROVIDER_QT_H_ +#define DISPLAY_INFO_PROVIDER_QT_H_ + +#include "extensions/browser/api/system_display/display_info_provider.h" + +class DisplayInfoProviderQt : public extensions::DisplayInfoProvider +{ +public: + DisplayInfoProviderQt(); +}; + +#endif // DISPLAY_INFO_PROVIDER_QT_H_ diff --git a/src/core/extensions/extensions_api_client_qt.cpp b/src/core/extensions/extensions_api_client_qt.cpp index 678c252cc08..1cfbe11f791 100644 --- a/src/core/extensions/extensions_api_client_qt.cpp +++ b/src/core/extensions/extensions_api_client_qt.cpp @@ -7,6 +7,8 @@ // found in the LICENSE file. #include "extensions_api_client_qt.h" + +#include "api/display_info_provider_qt.h" #include "file_system_delegate_qt.h" #include "messaging_delegate_qt.h" @@ -69,4 +71,9 @@ MessagingDelegate *ExtensionsAPIClientQt::GetMessagingDelegate() return m_messagingDelegate.get(); } +std::unique_ptr ExtensionsAPIClientQt::CreateDisplayInfoProvider() const +{ + return std::make_unique(); +} + } // namespace extensions diff --git a/src/core/extensions/extensions_api_client_qt.h b/src/core/extensions/extensions_api_client_qt.h index e7838138c74..64c01f475ec 100644 --- a/src/core/extensions/extensions_api_client_qt.h +++ b/src/core/extensions/extensions_api_client_qt.h @@ -13,6 +13,7 @@ namespace extensions { +class DisplayInfoProvider; class FileSystemDelegate; class MessagingDelegate; @@ -30,6 +31,7 @@ class ExtensionsAPIClientQt : public ExtensionsAPIClient CreateMimeHandlerViewGuestDelegate(MimeHandlerViewGuest *guest) const override; void AttachWebContentsHelpers(content::WebContents *web_contents) const override; MessagingDelegate *GetMessagingDelegate() override; + std::unique_ptr CreateDisplayInfoProvider() const override; private: std::unique_ptr m_fileSystemDelegate; From ab5f3fab39abd4f61789a8461d98f54dcdb21c5e Mon Sep 17 00:00:00 2001 From: Martin Negyokru Date: Wed, 30 Apr 2025 16:00:54 +0200 Subject: [PATCH 2/5] Support chrome.system.storage API Initialize the StorageMonitor at startup. Pick-to: 6.10 Task-number: QTBUG-61676 Change-Id: Ic10bd1d012f80c3f231105ea15d466716311cd5c Reviewed-by: Allan Sandfeld Jensen --- src/core/browser_main_parts_qt.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/browser_main_parts_qt.cpp b/src/core/browser_main_parts_qt.cpp index 35407a62b0d..ee037d180a7 100644 --- a/src/core/browser_main_parts_qt.cpp +++ b/src/core/browser_main_parts_qt.cpp @@ -35,6 +35,7 @@ #include "ui/display/screen.h" #if BUILDFLAG(ENABLE_EXTENSIONS) +#include "components/storage_monitor/storage_monitor.h" #include "extensions/browser/api/messaging/message_service.h" #include "extensions/common/constants.h" #include "extensions/common/extensions_client.h" @@ -235,6 +236,7 @@ int BrowserMainPartsQt::PreMainMessageLoopRun() extensions::ExtensionsClient::Set(new extensions::ExtensionsClientQt()); extensions::ExtensionsBrowserClient::Set(new extensions::ExtensionsBrowserClientQt()); extensions::ExtensionSystemFactoryQt::GetInstance(); + storage_monitor::StorageMonitor::Create(); #if BUILDFLAG(ENABLE_PLUGINS) content::PluginService *plugin_service = content::PluginService::GetInstance(); From 9d38f39830a08c769cad429b793a97eedd40b35d Mon Sep 17 00:00:00 2001 From: Jerome Pasion Date: Mon, 28 Apr 2025 16:03:49 +0200 Subject: [PATCH 3/5] Doc: Add Security Considerations page to Qt WebEngine We need to give security related information to application developers. For Qt WebEngine, a link to the Chromium and Qt security pages are good resources for developers. There is a mention of important web-related issues such as cross-site scripting and untrusted data. Task-number: QTBUG-133086 Pick-to: 6.9 6.10 Change-Id: I90cbcaa801790910aa9880060b4d0d7f9a999dad Reviewed-by: Moss Heim --- src/core/doc/src/qtwebengine-index.qdoc | 1 + src/core/doc/src/qtwebengine-security.qdoc | 68 ++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 src/core/doc/src/qtwebengine-security.qdoc diff --git a/src/core/doc/src/qtwebengine-index.qdoc b/src/core/doc/src/qtwebengine-index.qdoc index b20a96dc1fe..0e00598a567 100644 --- a/src/core/doc/src/qtwebengine-index.qdoc +++ b/src/core/doc/src/qtwebengine-index.qdoc @@ -23,6 +23,7 @@ \li \l{Qt WebEngine Debugging and Profiling} \li \l{Deploying Qt WebEngine Applications} \li \l{Porting from Qt WebKit to Qt WebEngine} + \li \l{Qt WebEngine Security Considerations} \endlist diff --git a/src/core/doc/src/qtwebengine-security.qdoc b/src/core/doc/src/qtwebengine-security.qdoc new file mode 100644 index 00000000000..3ea57ad8326 --- /dev/null +++ b/src/core/doc/src/qtwebengine-security.qdoc @@ -0,0 +1,68 @@ +// Copyright (C) 2025 The Qt Company Ltd. +// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only + +/*! + \page qtwebengine-security.html + \title Qt WebEngine Security Considerations + \ingroup security-considerations + \brief Overview of security topics in Qt WebEngine + + This page covers security issues for Qt WebEngine users. As part of Qt, + Qt WebEngine follows Qt's security policies. Refer to \l{Security in Qt} + for policy information. + + \section1 Chromium Releases and Security Fixes + + Qt WebEngine tracks the release schedule of Chromium. The latest Qt + WebEngine version includes the security fixes released in Chromium. + For the precise version numbers and released fixes, visit the wiki page + at \l{https://wiki.qt.io/QtWebEngine/ChromiumVersions} + {QtWebEngine/ChromiumVersions}. + + For more information about how Qt WebEngine Core implements Chromium + features and specific versions, read the + \l{Qt WebEngine Core Module} section. It is also beneficial to be familiar + with Chromium's + \l{https://www.chromium.org/Home/chromium-security/}{Security Policy}. + + \section1 Security Topics for Qt WebEngine Applications + + Be aware of handling untrusted data and sensitive data within your + application. Data such as images, user information, and system + information can be loaded from remote resources, from within the + application, or locally on the system. Take care how you process untrusted + data in a secure way without degrading performance and exposing sensitive + information. Even revealing filenames and directory paths can expose + sensitive data such as system information and database structure. + + Qt WebEngine and Chromium have mechanisms such as the + \e{same-origin policy} to minimize the risk of loading from unknown sources. + Many websites trick users with dialogues and by mimicking popular websites. + With \l{Qt WebEngine}, it is possible to simply load and show trusted data + to end-users and lock the interface to prevent unwanted input. Your user + interface should be robust to handle erroneous inputs and unexpected events. + + A serious security issue for web applications is + \e{cross-site scripting} (XSS). The attack involves executing a piece of + code that can trick a web application to generate malicious HTML content to + gain the trust of your user. For example, your application unknowingly + takes malicious code to generate a dialog asking for user credentials. + Those credentials are then sent to an external service which can lead to + breached accounts. Because it is your application that generates the + dialog, users trust the malicious action. Be careful parsing URLs and make + sure that nobody can misuse your user interface. + + Refer to \l{Handling Untrusted Data} for additional information about risks + and mitigation. + + \section1 Configure Qt WebEngine Settings + + It is good practice to enforce \e zero-trust policies that restrict access + by default. Configuring your Qt WebEngine deployment can help restrict user + and remote execution. \l QWebEngineSettings has attributes that can disable + JavaScript execution, disable auto-loading of images, or other mechanisms + to prevent unintended usage. For example, disabling + \l QWebEngineSettings::LocalContentCanAccessFileUrls can create a sandbox + environment similar to Chrome or Firefox. + +*/ From 5cfa442218c649b7bb7805bb0f90ed92c66cd402 Mon Sep 17 00:00:00 2001 From: Alexei Cazacov Date: Thu, 27 Mar 2025 15:26:24 +0200 Subject: [PATCH 4/5] Docs: Qt WebEngine documentation doesn't mention the module requirements This commit adds a note with optional dependences. Fixes: QTBUG-133608 Pick-to: 6.10 6.9 6.8 Change-Id: I9ac4971e2a8b0cbde754a249fb6115112a7fac96 Reviewed-by: Allan Sandfeld Jensen --- src/core/doc/src/qtwebengine-index.qdoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/core/doc/src/qtwebengine-index.qdoc b/src/core/doc/src/qtwebengine-index.qdoc index 0e00598a567..b34931d5ce0 100644 --- a/src/core/doc/src/qtwebengine-index.qdoc +++ b/src/core/doc/src/qtwebengine-index.qdoc @@ -9,6 +9,10 @@ \QWE provides functionality for rendering regions of dynamic web content. + \note By default, Qt WebEngine depends on the \l {Qt Positioning} and + \l {Qt WebChannel} optional modules, but can be built without them. Be sure to + install these add-ons when using the online installer. + The functionality in \QWE is divided into the following modules: \annotatedlist qtwebengine-modules @@ -26,7 +30,6 @@ \li \l{Qt WebEngine Security Considerations} \endlist - \section1 Module Evolution \l{Changes to Qt WebEngine} lists important changes in the module API From fdc9650042f42a1c6e8a1acd27aec4a1ced0e952 Mon Sep 17 00:00:00 2001 From: Michal Klocek Date: Tue, 3 Jun 2025 13:09:43 +0200 Subject: [PATCH 5/5] Release with bundled libtiff As user system can have no libtiff, or a different major so version of libtiff installed make sure qt installer provides binaries with bundled libtiff. Pick-to: 6.10 6.9 6.8 Change-Id: Ia3e892b735f0f7facf215e23c538df12fd01581e Reviewed-by: Allan Sandfeld Jensen --- coin/module_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coin/module_config.yaml b/coin/module_config.yaml index 7b3c557f38e..7563d04f54a 100644 --- a/coin/module_config.yaml +++ b/coin/module_config.yaml @@ -57,7 +57,7 @@ instructions: contains_value: "windows-11_24H2-msvc2022-arm64" - type: AppendToEnvironmentVariable variableName: COMMON_NON_QTBASE_CMAKE_ARGS - variableValue: " -DFEATURE_webengine_system_libxml=OFF" + variableValue: " -DFEATURE_webengine_system_libxml=OFF -DFEATURE_webengine_system_libtiff=OFF" enable_if: condition: property property: features