Origin safety testing for imported resources.

Extends upon 95aa8c8fc76e2309a629b05994a2677b0887140b.
Still under discussion.

2 files changed, 43 insertions, 2 deletions

diff --git a/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp b/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp
index 72b6b28..b6bd3f8 100644
--- a/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp
+++ b/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp
@@ -53,6 +53,19 @@
 
 #include "../../../shared/util.h"
 
+class SafeLocalhostDeclarativeEngine : public QDeclarativeEngine {
+public:
+    SafeLocalhostDeclarativeEngine() : QDeclarativeEngine() {}
+
+    virtual bool isSafeOrigin(const QUrl& to_url, const QUrl& from_url) const
+    {
+        if (to_url.host() == "127.0.0.1")
+            return true;
+        else
+            return QDeclarativeEngine::isSafeOrigin(to_url,from_url);
+    }
+};
+
 /*
 This test case covers QML language issues.  This covers everything that does not
 involve evaluating ECMAScript expressions and bindings.
@@ -121,6 +134,7 @@ private slots:
     void importsLocal();
     void importsRemote_data();
     void importsRemote();
+    void importsUnsafe();
     void importsInstalled_data();
     void importsInstalled();
     void importsOrder_data();
@@ -135,7 +149,7 @@ private slots:
     void crash2();
 
 private:
-    QDeclarativeEngine engine;
+    SafeLocalhostDeclarativeEngine engine;
     void testType(const QString& qml, const QString& type);
 };
 
@@ -1262,6 +1276,33 @@ void tst_qdeclarativelanguage::importsRemote()
     testType(qml,type);
 }
 
+void tst_qdeclarativelanguage::importsUnsafe()
+{
+    TestHTTPServer server(14445);
+    server.serveDirectory(SRCDIR);
+
+    QString qml = "import \"http://127.0.0.1:14445/qtest/declarative/qmllanguage\"\n\nTest {}";
+
+    {
+        QDeclarativeEngine engine; // plain engine without special localhost handling
+        QDeclarativeComponent component(&engine);
+        component.setData(qml.toUtf8(), TEST_FILE("empty.qml")); // just a file for relative local imports
+
+        QTRY_VERIFY(!component.isLoading());
+
+        QVERIFY(component.isError());
+    }
+
+    {
+        QDeclarativeComponent component(&engine); // engine special localhost handling
+        component.setData(qml.toUtf8(), TEST_FILE("empty.qml")); // just a file for relative local imports
+
+        QTRY_VERIFY(!component.isLoading());
+
+        QVERIFY(!component.isError());
+    }
+}
+
 void tst_qdeclarativelanguage::importsInstalled_data()
 {
     // QT-610
diff --git a/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp b/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp
index 0deac3a..f27c1ce 100644
--- a/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp
+++ b/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp
@@ -491,7 +491,7 @@ void tst_QDeclarativeLoader::networkSafety_data()
     QTest::addColumn<QString>("message");
 
     QTest::newRow("same origin") << QUrl("http://127.0.0.1:14445/sameorigin.qml") << QString();
-    QTest::newRow("different origin") << QUrl("http://127.0.0.1:14445/differentorigin.qml") << QString(" QUrl( \"http://evil.place/evil.qml\" )  is not a safe origin from  QUrl( \"http://127.0.0.1:14445/differentorigin.qml\" )  ");
+    QTest::newRow("different origin") << QUrl("http://127.0.0.1:14445/differentorigin.qml") << QString("QML Loader (http://127.0.0.1:14445/differentorigin.qml:3:1) \"http://evil.place/evil.qml\" is not a safe origin from \"http://127.0.0.1:14445/differentorigin.qml\"");
 }
 
 void tst_QDeclarativeLoader::networkSafety()