Skip to content
Permalink
Browse files Browse the repository at this point in the history
E-book viewer: Prevent javascript in the book from accessing files on…
… the computer using XMLHttpRequest. Fixes #1651728 [Private bug](https://bugs.launchpad.net/calibre/+bug/1651728)
  • Loading branch information
kovidgoyal committed Dec 21, 2016
1 parent 320f81c commit 3a89718
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
2 changes: 2 additions & 0 deletions src/calibre/gui2/tweak_book/preview.py
Expand Up @@ -145,6 +145,7 @@ def clear(self):
def is_alive(self):
return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive())


parse_worker = ParseWorker()
# }}}

Expand Down Expand Up @@ -280,6 +281,7 @@ def __init__(self, parent):
settings.setAttribute(settings.PrivateBrowsingEnabled, True)
settings.setAttribute(settings.JavascriptCanOpenWindows, False)
settings.setAttribute(settings.JavascriptCanAccessClipboard, False)
settings.setAttribute(settings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files
settings.setAttribute(settings.LinksIncludedInFocusChain, False)
settings.setAttribute(settings.DeveloperExtrasEnabled, True)
settings.setDefaultTextEncoding('utf-8')
Expand Down
3 changes: 1 addition & 2 deletions src/calibre/gui2/viewer/documentview.py
Expand Up @@ -53,6 +53,7 @@ def apply_basic_settings(settings):
settings.setAttribute(QWebSettings.PluginsEnabled, False)
settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files
# PrivateBrowsing disables console messages
# settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True)
settings.setAttribute(QWebSettings.NotificationsEnabled, False)
Expand Down Expand Up @@ -1435,5 +1436,3 @@ def follow_footnote_link(self):
self.link_clicked(qurl)

# }}}


0 comments on commit 3a89718

Please sign in to comment.