Add --enable-webengine-inspector option

Since the inspector can be a security risk, it's now not linked to
developer-extras anymore until QtWebEngine provides a better way to
access it.

See:

https://bugreports.qt.io/browse/QTBUG-50725
http://bouk.co/blog/hacking-developers/

doc/help/settings.asciidoc

@@ -397,7 +397,7 @@ This setting is only available with the QtWebKit backend.
 === developer-extras
 Enable extra tools for Web developers.
 
-This needs to be enabled for `:inspector` to work and also adds an _Inspect_ entry to the context menu.
+This needs to be enabled for `:inspector` to work and also adds an _Inspect_ entry to the context menu. For QtWebEngine, see 'qutebrowser --help' instead.
 
 Valid values:
 
@@ -406,6 +406,8 @@ Valid values:
 
 Default: +pass:[false]+
 
+This setting is only available with the QtWebKit backend.
+
 [[general-print-element-backgrounds]]
 === print-element-backgrounds
 Whether the background color and images are also drawn when the page is printed.

doc/qutebrowser.1.asciidoc

@@ -59,6 +59,9 @@ show it.
 *--backend* '{webkit,webengine}'::
     Which backend to use (webengine backend is EXPERIMENTAL!).
 
+*--enable-webengine-inspector*::
+    Enable the web inspector for QtWebEngine. Note that this is a SECURITY RISK and you should not visit untrusted websites with the inspector turned on. See https://bugreports.qt.io/browse/QTBUG-50725 for more details.
+
 === debug arguments
 *-l* '{critical,error,warning,info,debug,vdebug}', *--loglevel* '{critical,error,warning,info,debug,vdebug}'::
     Set loglevel

qutebrowser/browser/inspector.py

@@ -26,7 +26,6 @@ from PyQt5.QtWidgets import QWidget
 
 from qutebrowser.utils import log, objreg
 from qutebrowser.misc import miscwidgets
-from qutebrowser.config import config
 
 
 def create(parent=None):
@@ -91,13 +90,6 @@ class AbstractWebInspector(QWidget):
         state_config['geometry']['inspector'] = geom
         super().closeEvent(e)
 
-    def _check_developer_extras(self):
-        """Check if developer-extras are enabled."""
-        if not config.get('general', 'developer-extras'):
-            raise WebInspectorError(
-                "Please enable developer-extras before using the "
-                "webinspector!")
-
     def inspect(self, page):
         """Inspect the given QWeb(Engine)Page."""
         raise NotImplementedError

qutebrowser/browser/webengine/webengineinspector.py

@@ -41,13 +41,12 @@ class WebEngineInspector(inspector.AbstractWebInspector):
 
     def inspect(self, _page):
         """Set up the inspector."""
-        self._check_developer_extras()
         try:
             port = int(os.environ['QTWEBENGINE_REMOTE_DEBUGGING'])
         except KeyError:
             raise inspector.WebInspectorError(
-                "Debugging is not set up correctly. Did you restart after "
+                "Debugging is not enabled. See 'qutebrowser --help' for "
-                "setting developer-extras?")
+                "details.")
         url = QUrl('http://localhost:{}/'.format(port))
         self._widget.load(url)
         self.show()

qutebrowser/browser/webengine/webenginesettings.py

@@ -106,10 +106,9 @@ def update_settings(section, option):
         _init_stylesheet(profile)
 
 
-def init(_args):
+def init(args):
     """Initialize the global QWebSettings."""
-    if config.get('general', 'developer-extras'):
+    if args.enable_webengine_inspector:
-        # FIXME:qtwebengine Make sure we call globalSettings *after* this...
         os.environ['QTWEBENGINE_REMOTE_DEBUGGING'] = str(utils.random_port())
 
     profile = QWebEngineProfile.defaultProfile()

qutebrowser/browser/webkit/webkitinspector.py

@@ -23,6 +23,7 @@
 from PyQt5.QtWebKitWidgets import QWebInspector
 
 from qutebrowser.browser import inspector
+from qutebrowser.config import config
 
 
 class WebKitInspector(inspector.AbstractWebInspector):
@@ -35,6 +36,9 @@ class WebKitInspector(inspector.AbstractWebInspector):
         self._set_widget(qwebinspector)
 
     def inspect(self, page):
-        self._check_developer_extras()
+        if not config.get('general', 'developer-extras'):
+            raise inspector.WebInspectorError(
+                "Please enable developer-extras before using the "
+                "webinspector!")
         self._widget.setPage(page)
         self.show()

qutebrowser/config/configdata.py

@@ -184,10 +184,12 @@ def data(readonly=False):
              "icons."),
 
             ('developer-extras',
-             SettingValue(typ.Bool(), 'false'),
+             SettingValue(typ.Bool(), 'false',
+                          backends=[usertypes.Backend.QtWebKit]),
              "Enable extra tools for Web developers.\n\n"
              "This needs to be enabled for `:inspector` to work and also adds "
-             "an _Inspect_ entry to the context menu."),
+             "an _Inspect_ entry to the context menu. For QtWebEngine, see "
+             "'qutebrowser --help' instead."),
 
             ('print-element-backgrounds',
              SettingValue(typ.Bool(), 'true',

qutebrowser/qutebrowser.py

@@ -66,6 +66,12 @@ def get_argparser():
     parser.add_argument('--backend', choices=['webkit', 'webengine'],
                         help="Which backend to use (webengine backend is "
                              "EXPERIMENTAL!).", default='webkit')
+    parser.add_argument('--enable-webengine-inspector', action='store_true',
+                        help="Enable the web inspector for QtWebEngine. Note "
+                        "that this is a SECURITY RISK and you should not visit "
+                        "untrusted websites with the inspector turned on. See "
+                        "https://bugreports.qt.io/browse/QTBUG-50725 for more "
+                        "details.")
 
     parser.add_argument('--json-args', help=argparse.SUPPRESS)
     parser.add_argument('--temp-basedir-restarted', help=argparse.SUPPRESS)

tests/end2end/features/misc.feature

@@ -130,11 +130,17 @@ Feature: Various utility commands.
 
     # :inspect
 
+    @qtwebengine_skip
     Scenario: Inspector without developer extras
         When I set general -> developer-extras to false
         And I run :inspector
         Then the error "Please enable developer-extras before using the webinspector!" should be shown
 
+    @qtwebkit_skip
+    Scenario: Inspector without --enable-webengine-inspector
+        When I run :inspector
+        Then the error "Debugging is not enabled. See 'qutebrowser --help' for details." should be shown
+
     @no_xvfb @posix @qtwebengine_skip
     Scenario: Inspector smoke test
         When I set general -> developer-extras to true
@@ -145,6 +151,7 @@ Feature: Various utility commands.
         Then no crash should happen
 
     # Different code path as an inspector got created now
+    @qtwebengine_skip
     Scenario: Inspector without developer extras (after smoke)
         When I set general -> developer-extras to false
         And I run :inspector