[qutebrowser] Security issue with QtWebEngine web inspector
me at the-compiler.org
Wed Nov 23 08:22:57 CET 2016
if you're using qutebrowser from git with --backend webengine and have
general -> developer-extras enabled, the inspector runs on a port
bound to localhost (which is the only way to access it currently).
However, this is not as unproblematic as it might seem, and might
actually allow any website to access the inspector (and thus control
other websites): http://bouk.co/blog/hacking-developers/
Until there's a better solution in QtWebEngine, I'd recommend not
enabling the web inspector when navigating to untrusted websites.
The newest git commit now disables the web inspector (even with
developer-extras enabled) and requires a --enable-webengine-inspector
commandline switch to enable it. If you can't update for some reason,
disabling developer-extras and restarting qutebrowser will have the
If you aren't using --backend webengine, or aren't using qutebrowser
from git, or have developer-extras disabled, this does not affect you
in any way.
http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc
I love long mails! | http://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the qutebrowser