WebPage: Register QWebChannel on isolated ApplicationWorld

This way scripts on pages don't have access to it.
Exception is qupzilla: scheme as internal pages requires the bridge.

GreaseMonkey userscripts now runs on ApplicationWorld too. This fixes
userscript that depend on script world being isolated from main page world.
Tested with 4ChanX + OneeChan.

src/lib/app/mainapplication.cpp

@@ -273,11 +273,19 @@ MainApplication::MainApplication(int &argc, char** argv)
     QWebEngineScript script;
     script.setName(QSL("_falkon_webchannel"));
     script.setInjectionPoint(QWebEngineScript::DocumentCreation);
-    script.setWorldId(QWebEngineScript::MainWorld);
+    script.setWorldId(WebPage::SafeJsWorld);
     script.setRunsOnSubFrames(true);
-    script.setSourceCode(Scripts::setupWebChannel());
+    script.setSourceCode(Scripts::setupWebChannel(script.worldId()));
     m_webProfile->scripts()->insert(script);
 
+    QWebEngineScript script2;
+    script2.setName(QSL("_qupzilla_webchannel2"));
+    script2.setInjectionPoint(QWebEngineScript::DocumentCreation);
+    script2.setWorldId(WebPage::UnsafeJsWorld);
+    script2.setRunsOnSubFrames(true);
+    script2.setSourceCode(Scripts::setupWebChannel(script2.worldId()));
+    m_webProfile->scripts()->insert(script2);
+
     if (!isPrivate()) {
         m_sessionManager = new SessionManager(this);
         m_autoSaver = new AutoSaver(this);

src/lib/autofill/autofill.cpp

@@ -1,6 +1,6 @@
 /* ============================================================
 * Falkon - Qt web browser
-* Copyright (C) 2010-2017 David Rosca <nowrep@gmail.com>
+* Copyright (C) 2010-2018 David Rosca <nowrep@gmail.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -27,6 +27,7 @@
 #include "passwordmanager.h"
 #include "qztools.h"
 #include "scripts.h"
+#include "webpage.h"
 
 #include <QXmlStreamWriter>
 #include <QXmlStreamReader>
@@ -45,7 +46,7 @@ AutoFill::AutoFill(QObject* parent)
     QWebEngineScript script;
     script.setName(QSL("_falkon_autofill"));
     script.setInjectionPoint(QWebEngineScript::DocumentReady);
-    script.setWorldId(QWebEngineScript::MainWorld);
+    script.setWorldId(WebPage::SafeJsWorld);
     script.setRunsOnSubFrames(true);
     script.setSourceCode(Scripts::setupFormObserver());
     mApp->webProfile()->scripts()->insert(script);

src/lib/navigation/websearchbar.cpp

@@ -1,6 +1,6 @@
 /* ============================================================
 * Falkon - Qt web browser
-* Copyright (C) 2010-2017 David Rosca <nowrep@gmail.com>
+* Copyright (C) 2010-2018 David Rosca <nowrep@gmail.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by

src/lib/tools/scripts.cpp

@@ -18,13 +18,17 @@
 
 #include "scripts.h"
 #include "qztools.h"
+#include "webpage.h"
 
 #include <QUrlQuery>
 
-QString Scripts::setupWebChannel()
+QString Scripts::setupWebChannel(quint32 worldId)
 {
-    QString source =  QL1S("(function() {"
+    QString source =  QL1S("// ==UserScript==\n"
-                           "%1"
+                           "// %1\n"
+                           "// ==/UserScript==\n\n"
+                           "(function() {"
+                           "%2"
                            ""
                            "function registerExternal(e) {"
                            "    window.external = e;"
@@ -66,7 +70,13 @@ QString Scripts::setupWebChannel()
                            ""
                            "})()");
 
-    return source.arg(QzTools::readAllFileContents(QSL(":/qtwebchannel/qwebchannel.js")));
+    QString match;
+    if (worldId == WebPage::SafeJsWorld) {
+        match = QSL("@exclude qupzilla:*");
+    } else {
+        match = QSL("@include qupzilla:*");
+    }
+    return source.arg(match, QzTools::readAllFileContents(QSL(":/qtwebchannel/qwebchannel.js")));
 }
 
 QString Scripts::setupFormObserver()

src/lib/tools/scripts.h

@@ -1,6 +1,6 @@
 /* ============================================================
 * Falkon - Qt web browser
-* Copyright (C) 2015-2016 David Rosca <nowrep@gmail.com>
+* Copyright (C) 2015-2018 David Rosca <nowrep@gmail.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ class QWebEngineView;
 class FALKON_EXPORT Scripts
 {
 public:
-    static QString setupWebChannel();
+    static QString setupWebChannel(quint32 worldId);
     static QString setupFormObserver();
 
     static QString setCss(const QString &css);

src/lib/webengine/webpage.cpp

@@ -71,9 +71,7 @@ WebPage::WebPage(QObject* parent)
     , m_blockAlerts(false)
     , m_secureStatus(false)
 {
-    QWebChannel *channel = new QWebChannel(this);
+    setupWebChannelForUrl(QUrl());
-    ExternalJsObject::setupWebChannel(channel, this);
-    setWebChannel(channel);
 
     connect(this, &QWebEnginePage::loadProgress, this, &WebPage::progress);
     connect(this, &QWebEnginePage::loadFinished, this, &WebPage::finished);
@@ -167,13 +165,13 @@ WebHitTestResult WebPage::hitTestContent(const QPoint &pos) const
 
 void WebPage::scroll(int x, int y)
 {
-    runJavaScript(QSL("window.scrollTo(window.scrollX + %1, window.scrollY + %2)").arg(x).arg(y), WebPage::SafeJsWorld);
+    runJavaScript(QSL("window.scrollTo(window.scrollX + %1, window.scrollY + %2)").arg(x).arg(y), SafeJsWorld);
 }
 
 void WebPage::setScrollPosition(const QPointF &pos)
 {
     const QPointF v = mapToViewport(pos.toPoint());
-    runJavaScript(QSL("window.scrollTo(%1, %2)").arg(v.x()).arg(v.y()), WebPage::SafeJsWorld);
+    runJavaScript(QSL("window.scrollTo(%1, %2)").arg(v.x()).arg(v.y()), SafeJsWorld);
 }
 
 bool WebPage::isRunningLoop()
@@ -362,6 +360,20 @@ void WebPage::renderProcessTerminated(QWebEnginePage::RenderProcessTerminationSt
     });
 }
 
+void WebPage::setupWebChannelForUrl(const QUrl &url)
+{
+    QWebChannel *channel = webChannel();
+    if (!channel) {
+        channel = new QWebChannel(this);
+        ExternalJsObject::setupWebChannel(channel, this);
+    }
+    if (url.scheme() == QL1S("qupzilla")) {
+        setWebChannel(channel, UnsafeJsWorld);
+    } else {
+        setWebChannel(channel, SafeJsWorld);
+    }
+}
+
 bool WebPage::acceptNavigationRequest(const QUrl &url, QWebEnginePage::NavigationType type, bool isMainFrame)
 {
     if (!mApp->plugins()->acceptNavigationRequest(this, url, type, isMainFrame))
@@ -373,6 +385,8 @@ bool WebPage::acceptNavigationRequest(const QUrl &url, QWebEnginePage::Navigatio
         const bool isWeb = url.scheme() == QL1S("http") || url.scheme() == QL1S("https");
         const bool globalJsEnabled = mApp->webSettings()->testAttribute(QWebEngineSettings::JavascriptEnabled);
         settings()->setAttribute(QWebEngineSettings::JavascriptEnabled, isWeb ? globalJsEnabled : true);
+
+        setupWebChannelForUrl(url);
     }
 
     return result;

src/lib/webengine/webpage.h

@@ -39,6 +39,7 @@ class FALKON_EXPORT WebPage : public QWebEnginePage
 
 public:
     enum JsWorld {
+        UnsafeJsWorld = QWebEngineScript::MainWorld,
         SafeJsWorld = QWebEngineScript::ApplicationWorld
     };
 
@@ -48,7 +49,7 @@ public:
     WebView *view() const;
 
     bool execPrintPage(QPrinter *printer, int timeout = 1000);
-    QVariant execJavaScript(const QString &scriptSource, quint32 worldId = QWebEngineScript::MainWorld, int timeout = 500);
+    QVariant execJavaScript(const QString &scriptSource, quint32 worldId = UnsafeJsWorld, int timeout = 500);
 
     QPointF mapToViewport(const QPointF &pos) const;
     WebHitTestResult hitTestContent(const QPoint &pos) const;
@@ -84,6 +85,7 @@ private slots:
     void renderProcessTerminated(RenderProcessTerminationStatus terminationStatus, int exitCode);
 
 private:
+    void setupWebChannelForUrl(const QUrl &url);
     bool acceptNavigationRequest(const QUrl &url, NavigationType type, bool isMainFrame) Q_DECL_OVERRIDE;
     bool certificateError(const QWebEngineCertificateError &error) Q_DECL_OVERRIDE;
     QStringList chooseFiles(FileSelectionMode mode, const QStringList &oldFiles, const QStringList &acceptedMimeTypes) Q_DECL_OVERRIDE;

src/lib/webtab/searchtoolbar.cpp

@@ -1,6 +1,6 @@
 /* ============================================================
 * Falkon - Qt web browser
-* Copyright (C) 2010-2017 David Rosca <nowrep@gmail.com>
+* Copyright (C) 2010-2018 David Rosca <nowrep@gmail.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -133,7 +133,7 @@ void SearchToolBar::searchText(const QString &text)
         ui->lineEdit->style()->polish(ui->lineEdit);
 
         // Clear selection
-        m_view->page()->runJavaScript(QSL("window.getSelection().empty();"));
+        m_view->page()->runJavaScript(QSL("window.getSelection().empty();"), WebPage::SafeJsWorld);
     });
 }
 

src/plugins/GreaseMonkey/gm_script.cpp

@@ -1,6 +1,6 @@
 /* ============================================================
 * GreaseMonkey plugin for Falkon
-* Copyright (C) 2012-2017 David Rosca <nowrep@gmail.com>
+* Copyright (C) 2012-2018 David Rosca <nowrep@gmail.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -19,9 +19,9 @@
 #include "gm_manager.h"
 #include "gm_downloader.h"
 
-#include "qzregexp.h"
 #include "delayedfilewatcher.h"
 #include "mainapplication.h"
+#include "webpage.h"
 
 #include <QFile>
 #include <QTextStream>
@@ -131,7 +131,7 @@ QWebEngineScript GM_Script::webScript() const
     QWebEngineScript script;
     script.setSourceCode(QSL("%1\n%2").arg(m_manager->bootstrapScript(), m_script));
     script.setName(fullName());
-    script.setWorldId(QWebEngineScript::MainWorld);
+    script.setWorldId(WebPage::SafeJsWorld);
     script.setRunsOnSubFrames(!m_noframes);
     return script;
 }