New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chromium Web Security breaks HTML5 apps with WebEngine #44

Closed
balcy opened this Issue Oct 10, 2018 · 12 comments

Comments

Projects
4 participants
@balcy
Copy link
Collaborator

balcy commented Oct 10, 2018

today I've upgraded to latest RC (W41) and the RSS reader app did no longer show feeds.
https://open-store.io/app/rssreader.florisluiten
I can post logs later, I saw apparmor messages and some other entries regarding morph-browser

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Oct 10, 2018

the app is HTML based

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Oct 10, 2018

startup log:
https://pastebin.ubuntu.com/p/SNZcSdsq5D/

adding a feed:
qml: [JS] (file:///opt/click.ubuntu.com/rssreader.florisluiten/0.2.4/www/index.html:0) Failed to load https://puri.sm/feed/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'file://' is therefore not allowed access.
This might be because of the new chromium version: no access from file:// to http(s):// urls and vice versa. (security)

The app is html5 and the desktop file has the command webapp-container ./www/index.html

@dobey

This comment has been minimized.

Copy link

dobey commented Oct 10, 2018

It looks like webapp-container will likely need to grow a command line option equivalent to chromium's --disable-web-security option, so that HTML5 apps will be able to talk to remote services. However, this will also open up the possibility of remote content being able to do things with file:// URIs as well.

@dobey dobey changed the title possible apparmor problem Chromium Web Security breaks HTML5 apps with WebEngine Oct 10, 2018

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Oct 10, 2018

ok I will open another issue for the startup problem (access permission to folder) seen in the pastebin

@dobey

This comment has been minimized.

Copy link

dobey commented Oct 10, 2018

There is already an issue open for that problem, I think against apparmor-easyprof-ubuntu.

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Oct 10, 2018

Ok I will mention it there, then one of them can be marked as duplicate, thanks !

@mateosalta

This comment has been minimized.

Copy link
Contributor

mateosalta commented Oct 15, 2018

does this have anything to do with remote content blocked for a local html? http://doc.qt.io/qt-5/qwebenginesettings.html
QWebEngineSettings::LocalContentCanAccessRemoteUrls

@dobey

This comment has been minimized.

Copy link

dobey commented Oct 16, 2018

It seems like that might solve this @mateosalta if it were hooked up to a CLI option in webapp-container, so that individual apps can specify if they need to.

@mateosalta

This comment has been minimized.

Copy link
Contributor

mateosalta commented Oct 17, 2018

Ah, that sounds good. that way we can leave the regular browser with the default.

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Oct 20, 2018

good news, settings.localContentCanAccessRemoteUrls: true
solves the problem for RSS reader, now we only need to make it configurable as dobey proposed.

@tjrhodes

This comment has been minimized.

Copy link

tjrhodes commented Nov 27, 2018

Device: FP2
System Build: 2018-W48

Issue solved I think. RSS Reader and a couple of other webapps load fine and run ok.

@balcy

This comment has been minimized.

Copy link
Collaborator

balcy commented Nov 27, 2018

are you using https://open-store.io/app/rssreader.florisluiten ? This can load, but new feed contents / new feeds can only be loaded with an updated version of RSS Reader that uses the new flag.
Floris will update the version in open store after doing some other changes (florisluiten/rssreader#12)
Normal webapps have not been affected by this problem (only ones with local html), but for example https://open-store.io/app/utmedia.nfsprodriver already does use the new flag

@UniversalSuperBox UniversalSuperBox moved this from To do to Accepted in OTA-6 QA Tracker Nov 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment