Merge pull request #1116 from kiwix/Issue#904-block-non-zim-external-requests

Block External Content from Zim Web Pages

src/kprofile.cpp

@@ -11,6 +11,11 @@ KProfile::KProfile(QObject *parent) :
     connect(this, &QWebEngineProfile::downloadRequested, this, &KProfile::startDownload);
     installUrlSchemeHandler("zim", &m_schemeHandler);
     settings()->setAttribute(QWebEngineSettings::FullScreenSupportEnabled, true);
+#if QT_VERSION < QT_VERSION_CHECK(5, 13, 0) // Earlier than Qt 5.13
+    setRequestInterceptor(new ExternalReqInterceptor(this));
+#else // Qt 5.13 and later
+    setUrlRequestInterceptor(new ExternalReqInterceptor(this));
+#endif
 }
 
 #if QT_VERSION < QT_VERSION_CHECK(6, 0, 0)
@@ -48,3 +53,13 @@ void KProfile::downloadFinished()
     msgBox.setText(gt("download-finished-message"));
     msgBox.exec();
 }
+
+void ExternalReqInterceptor::interceptRequest(QWebEngineUrlRequestInfo &info)
+{
+    const QString reqUrl = info.requestUrl().toString();
+    if (!reqUrl.startsWith("zim://"))
+    {
+        qDebug() << "Blocked external request to URL: " << reqUrl;
+        info.block(true);
+    }
+}

src/kprofile.h

@@ -2,6 +2,7 @@
 #define KPROFILE_H
 
 #include <QWebEngineProfile>
+#include <QWebEngineUrlRequestInterceptor>
 #if QT_VERSION < QT_VERSION_CHECK(6, 0, 0)
 #include <QWebEngineDownloadItem>
 #else
@@ -30,4 +31,21 @@ public slots:
     void downloadFinished();
 };
 
+/**
+ * @brief Intercepts and blocks a request if it is not native to our zim file.
+ * https://stackoverflow.com/questions/70721311/qwebview-disable-external-resources
+ */
+class ExternalReqInterceptor : public QWebEngineUrlRequestInterceptor
+{
+    Q_OBJECT
+public:
+    explicit ExternalReqInterceptor(QObject *parent = nullptr)
+        : QWebEngineUrlRequestInterceptor(parent)
+    {
+    }
+
+protected:
+    void interceptRequest(QWebEngineUrlRequestInfo &info) override;
+};
+
 #endif // KPROFILE_H