Chromium Embedded Framework Forum

[dipen]

I am trying to use CEF in Unreal engine. I want to access user files directly from file system. To achieve that I have done some modifications in C++ code. I'm able to access those files with below modifications.

Code: Select all

//--------------CEFBrowserApp.cpp

void FCEFBrowserApp::OnRegisterCustomSchemes(CefRefPtr<CefSchemeRegistrar> registrar)
{
   // To registrar file scheme
   registrar->AddCustomScheme("file", true, true, false);
}


void FCEFBrowserApp::OnBeforeCommandLineProcessing(const CefString& ProcessType, CefRefPtr< CefCommandLine > CommandLine)
{
   // Added this to allow file upload for HTTPS server
   CommandLine->AppendSwitch("allow-running-insecure-content");
}

//-----------WebBrowserSingleton.cpp

TSharedPtr<IWebBrowserWindow> FWebBrowserSingleton::CreateBrowserWindow(const FCreateBrowserWindowSettings& WindowSettings)
{

   // Specify CEF browser settings here.
   CefBrowserSettings BrowserSettings;
   // To access local files
   BrowserSettings.web_security = STATE_DISABLED;
}

As CEF is a lightweight wrapper around Chromium itself, just wanted to know about the security breach that I might have to face with above changes. Also If there's a
way to prevent any malicious attacks or any other way to access local files without disabling security flags.

Thanks,
- Dipen

[magreenblatt]

You will face significant security issues if you browse untrusted websites with those settings. Use a scheme handler or request interception instead. See https://bitbucket.org/chromiumembedded/ ... t-handling

[dipen]

Thanks for the reply. User won't be able to change URL in our application, as we are displaying CEF browser as an internal component. In this scenario, what might be the security issues? And also wants to try out scheme handler and request interception. Can you please provide any sample links with c++ code in which, we can allow file protocols and overcome CORS issue with XHR request? Again thanks for your support.

[dipen]

You will face significant security issues if you browse untrusted websites with those settings. Use a scheme handler or request interception instead. See https://bitbucket.org/chromiumembedded/ ... t-handling

Thanks for the reply. User won't be able to change URL in our application, as we are displaying CEF browser as an internal component. In this scenario, what might be the security issues? And also wants to try out scheme handler and request interception. Can you please provide any sample links with c++ code in which, we can allow file protocols and overcome CORS issue with XHR request? Again thanks for your support.

[magreenblatt]

Can you please provide any sample links with c++ code in which, we can allow file protocols and overcome CORS issue with XHR request?

Sorry, I don't have any such samples to provide.