rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add warnings for QtWebKit and old Qt

Browse Source 
See #3839, #4039
This commit is contained in:
Florian Bruhin 2018-09-18 08:36:26 +02:00
parent d759846189
commit f2e91cc82e
6 changed files with 143 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/changelog.asciidoc
View File

@ -38,6 +38,8 @@ Added
mode. This mode uses less RAM, but the expense of performance.
- New `content.webrtc_ip_handling_policy` setting, which allows more
fine-grained/restrictive control about which IPs are exposed via WebRTC.
- Running qutebrowser with QtWebKit or Qt < 5.9 now shows a warning (only
once), as support for those is going to be removed in a future release.
Changed
~~~~~~~

11
qutebrowser/app.py
View File

@ -72,9 +72,9 @@ from qutebrowser.keyinput import macros
from qutebrowser.mainwindow import mainwindow, prompt
from qutebrowser.misc import (readline, ipc, savemanager, sessions,
crashsignal, earlyinit, sql, cmdhistory,
backendproblem)
backendproblem, objects)
from qutebrowser.utils import (log, version, message, utils, urlutils, objreg,
usertypes, standarddir, error)
usertypes, standarddir, error, qtutils)
# pylint: disable=unused-import
# We import those to run the cmdutils.register decorators.
from qutebrowser.mainwindow.statusbar import command
@ -373,6 +373,13 @@ def _open_special_pages(args):
'qutebrowser.conf')),
'qute://help/configuring.html'),
('webkit-warning-shown',
objects.backend == usertypes.Backend.QtWebKit,
'qute://warning/webkit'),
('old-qt-warning-shown',
not qtutils.version_check('5.9'),
'qute://warning/old-qt'),
]
for state, condition, url in pages:

18
qutebrowser/browser/qutescheme.py
View File

@ -39,7 +39,7 @@ except ImportError:
# New in Python 3.6
secrets = None
from PyQt5.QtCore import QUrlQuery, QUrl
from PyQt5.QtCore import QUrlQuery, QUrl, qVersion
import qutebrowser
from qutebrowser.browser import pdfjs, downloads
@ -552,3 +552,19 @@ def qute_pdfjs(url):
else:
mimetype = utils.guess_mimetype(url.fileName(), fallback=True)
return mimetype, data
@add_handler('warning')
def qute_warning(url):
"""Handler for qute://warning."""
path = url.path()
if path == '/old-qt':
src = jinja.render('warning-old-qt.html',
title='Old Qt warning',
qt_version=qVersion())
elif path == '/webkit':
src = jinja.render('warning-webkit.html',
title='QtWebKit backend warning')
else:
raise NotFoundError("Invalid warning page {}".format(path))
return 'text/html', src

9
qutebrowser/html/styled.html
View File

@ -45,4 +45,13 @@ td {
margin-left: 10px;
text-decoration: none;
}
.note {
font-size: smaller;
color: grey;
}
.mono {
font-family: monospace;
}
{% endblock %}

24
qutebrowser/html/warning-old-qt.html Normal file
View File

@ -0,0 +1,24 @@
{% extends "styled.html" %}
{% block content %}
<h1>{{ title }}</h1>
<span class="note">Note this warning will only appear once. Use <span class="mono">:open
qute://warning/old-qt</span> to show it again at a later time.</span>
<p>You're using qutebrowser with Qt {{qt_version}}.</p>
<p>Qt 5.7 was released in June 2016, with the 5.7.1 patch release in December
2016. It is based on Chromium 49 (March 2016) with (some) security fixes up to
Chromium 54 (October 2016). It is also
<a href="https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security">not covered</a>
by Debian security updates.</p>
<p>Qt 5.8 has had various bugs, and has been unsupported (but working to some
degree) in qutebrowser for a while.</p>
<p>Because of those security issues and the maintaince burden coming with
supporting old versions, support for Qt < 5.9 will be dropped in a future
qutebrowser release. You might want to check
<a href="https://qutebrowser.org/doc/install.html">alternate installation methods</a>
which allow you to get a newer Qt.</p>
{% endblock %}

82
qutebrowser/html/warning-webkit.html Normal file
View File

@ -0,0 +1,82 @@
{% extends "styled.html" %}
{% block content %}
<h1>{{ title }}</h1>
<span class="note">Note this warning will only appear once. Use <span class="mono">:open
qute://warning/webkit</span> to show it again at a later time.</span>
<p>You're using qutebrowser with the QtWebKit backend.</p>
<p>Unfortunately, QtWebKit hasn't seen a release (including security updates)
since June 2017, and it also lacks various security features (process
isolation/sandboxing) present in QtWebEngine.</p>
<p>Because of those security issues and the maintaince burden coming with
supporting QtWebKit, support for it will be dropped in a future qutebrowser
release. It's recommended that you use QtWebEngine instead.</p>
<h2>(Outdated) reasons to use QtWebKit</h2>
<p>Most reasons why people preferred the QtWebKit backend aren't relevant anymore:</p>
<p><b>PDF.js support</b>: This qutebrowser release comes with PDF.js support
for QtWebEngine.</p>
<p><b>Missing control over Referer header</b>: This qutebrowser release
supports <span class="mono">content.headers.referer</span> for QtWebEngine.</p>
<p><b>Missing control over cookies</b>: With Qt 5.11 or newer, the <span
class="mono">content.cookies.accept</span> setting works on QtWebEngine.</p>
<p><b>Graphical glitches</b>: The new values for the <span
class="mono">qt.force_software_rendering</span> setting added in v1.4.0 should
hopefully help.</p>
<p><b>Missing support for notifications</b>: Those <a
href="https://bugreports.qt.io/browse/QTBUG-29611">aren't supported yet</a> in
Qt, but support is planned to be added in Qt 5.13, released around May 2019.</p>
<p><b>Resource usage</b>: This release adds the <span
class="mono">qt.process_model</span> and <span
class="mono">qt.low_end_device_mode</span> settings which can be used to
decrease the resource usage of QtWebEngine (but come with other drawbacks).</p>
<p><b>Not trusting Google</b>: Various people have checked the connections made
by QtWebEngine/qutebrowser, and it doesn't make any connections to Google (or
any other unsolicited connections at all). Arguably, having to trust Google
also is a smaller issue than having to trust every website you visit because of
heaps of security issues...</p>
<p><b>Nouveau graphic driver</b>: You can use QtWebEngine with software
rendering. With Qt 5.13 (~May 2019) it might be possible to run with Nouveau
without software rendering.</p>
<p><b>Wayland</b>: It's possible to use QtWebEngine with XWayland. Some users
also seem to be able to run it natively with Qt 5.11, but currently, <span
class="mono">QUTE_SKIP_WAYLAND_CHECK=1</span> needs to be set in the
environment to do so.</p>
<p><b>Instability on FreeBSD</b>: Those seem to be FreeBSD-specific crashes,
and unfortunately nobody has looked into them yet so far...</p>
<p><b>QtWebEngine being unavailable in ArchlinuxARM's PyQt package</b>:
QtWebEngine itself is available on the armv7h/aarch64 architectures, but their
PyQt package is broken and doesn't come with QtWebEngine support. This
<a href="https://archlinuxarm.org/forum/viewtopic.php?f=15&t=11269&p=54587">has
been reported</a> in their forums, but without any change so far. It should
however be possible to rebuild the PyQt package from source with QtWebEngine
installed.</p>
<p><b>QtWebEngine being unavailable on Parabola</b>: Claims of Parabola
developers about QtWebEngine being "non-free" have repeatedly been disputed,
and so far nobody came up with solid evidence about that being the case. Also,
note that their qutebrowser package is orphaned and was often outdated in the
past (even qutebrowser security fixes took months to arrive there). You
might be better off chosing an <a
href="https://qutebrowser.org/doc/install.html">alternative install
method</a>.</p>
<p><b>White flashing between loads with a custom stylesheet</b>: This doesn't
seem to happen with <span class="mono">qt.process_model = single-process</span>
set. However, note that that setting comes with decreased security and
stability, but QtWebKit doesn't have any process isolation at all.</p>
{% endblock %}