[qutebrowser] Security issue with QtWebEngine web inspector

Florian Bruhin me at the-compiler.org
Wed Nov 23 08:22:57 CET 2016


Hi,

if you're using qutebrowser from git with --backend webengine and have
general -> developer-extras enabled, the inspector runs on a port
bound to localhost (which is the only way to access it currently).

However, this is not as unproblematic as it might seem, and might
actually allow any website to access the inspector (and thus control
other websites): http://bouk.co/blog/hacking-developers/

Until there's a better solution in QtWebEngine, I'd recommend not
enabling the web inspector when navigating to untrusted websites.

The newest git commit now disables the web inspector (even with
developer-extras enabled) and requires a --enable-webengine-inspector
commandline switch to enable it. If you can't update for some reason,
disabling developer-extras and restarting qutebrowser will have the
same effect.

If you aren't using --backend webengine, or aren't using qutebrowser
from git, or have developer-extras disabled, this does not affect you
in any way.

Florian

-- 
http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc
         I love long mails! | http://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.schokokeks.org/pipermail/qutebrowser/attachments/20161123/8d66516b/attachment.asc>


More information about the qutebrowser mailing list