QtWebEngine: "Not allowed to load local resource" for iframe, how to disable web security?

Question

I'm porting my application from WebKit to WebEngine (seems that one is much better for rendering angular-basad html). I faced with problem that i can't enable QtWebEngine to load local iframe, despite the fact that i've setup all possible settings that i found:

Code from mainwindow.cpp

view->page()->settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessFileUrls, true);
view->page()->settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessRemoteUrls, true);
view->page()->settings()->setAttribute(QWebEngineSettings::LocalStorageEnabled, true);

view->settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessFileUrls, true);
view->settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessRemoteUrls, true);
view->settings()->setAttribute(QWebEngineSettings::LocalStorageEnabled, true);

The easiest example is to take WebEngine-based FancyBrowser (\Examples\Qt-5.4\webenginewidgets\fancybrowser) and try to load in it local html file like this:

Index.html:

<html>
<head>
    <title>Hi there</title>
</head>
<body>
    This is a page
    a simple page
    <iframe id="some_idrame" width="0" height="0" style="border: none" src="some_iframe.html" name="target" sandbox="allow-scripts"></iframe>
</body>
</html>

some_iframe.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>La-la-la</title>
</head>
<body>
    Lalala 
</body>
</html>

If you setup env var QTWEBENGINE_REMOTE_DEBUGGING to some port, then you can open 127.0.0.1:port and see in console this error:

"Not allowed to load local resource".

I really have no idea how to solve this problem now... there should be some way to pass to WebEngine something like "--disable-web-security"...

Thanks for any help!

Answer 1

If you need to load local resource(s) by WebEngine, then you need to pass --disable-web-security argument to QApplication, e.g.:

char ARG_DISABLE_WEB_SECURITY[] = "--disable-web-security";
int newArgc = argc+1+1;
char** newArgv = new char*[newArgc];
for(int i=0; i<argc; i++) {
    newArgv[i] = argv[i];
}
newArgv[argc] = ARG_DISABLE_WEB_SECURITY;
newArgv[argc+1] = nullptr;

QApplication myApplication(newArgc, newArgv);

Answer 2

Another option is to load the original page from the filesystem as well. I was having issues loading images from Qt's resource system, so I subclassed QWebEngineView and created this function:

void WebEngineView::setLocalHtml(const QString &html)
{
    if(html.isEmpty())
    {
        setHtml(QString());
        return;
    }

    // Save html to a local file
    QString filePath;
    {
        QTemporaryFile tempFile(QDir::toNativeSeparators(QDir::tempPath() + "/ehr_temp.XXXXXX.html"));
        tempFile.setAutoRemove(false);
        tempFile.open();
        QTextStream out(&tempFile);
        out << html;

        filePath = tempFile.fileName();
    }

    // delete the file after it has been loaded
    QMetaObject::Connection * const conn = new QMetaObject::Connection;
    *conn = connect(this, &WebEngineView::loadFinished, [filePath, conn](){
        disconnect(*conn);
        delete conn;

        QFile::remove(filePath);
    });

    load(QUrl::fromLocalFile(filePath));
}

Since the main page is a local file as well, this gets around the CORS security problem.

Answer 3

this Qt forum link help you . you should pass argument to application "--disable-web-security" https://forum.qt.io/topic/60691/not-allowed-to-load-local-resource-for-iframe-how-to-disable-web-security/4