Basic Loader origin safety (for discussion).

2 files changed, 18 insertions, 0 deletions

diff --git a/src/declarative/qml/qdeclarativecontext.cpp b/src/declarative/qml/qdeclarativecontext.cpp
index 85896c4..ab3849a 100644
--- a/src/declarative/qml/qdeclarativecontext.cpp
+++ b/src/declarative/qml/qdeclarativecontext.cpp
@@ -361,6 +361,22 @@ QVariant QDeclarativeContext::contextProperty(const QString &name) const
     return value;
 }
 
+bool QDeclarativeContext::isSafeOrigin(const QUrl &src) const
+{
+    if (src.isRelative())
+        return true;
+    if (src.scheme()==QLatin1String("https"))
+        return true;
+
+    QUrl base = baseUrl();
+    if (src.host() == base.host() && src.port() == base.port()) // including files (with no host)
+        return true;
+
+    qWarning() << src << "is not a safe origin from" << base;
+
+    return false;
+}
+
 /*!
     Resolves the URL \a src relative to the URL of the
     containing component.
diff --git a/src/declarative/qml/qdeclarativecontext.h b/src/declarative/qml/qdeclarativecontext.h
index a349628..959af8b 100644
--- a/src/declarative/qml/qdeclarativecontext.h
+++ b/src/declarative/qml/qdeclarativecontext.h
@@ -85,6 +85,8 @@ public:
     void setBaseUrl(const QUrl &);
     QUrl baseUrl() const;
 
+    bool isSafeOrigin(const QUrl &src) const;
+
 private:
     friend class QDeclarativeVME;
     friend class QDeclarativeEngine;