feat(mini-apps): per-app cross-origin access flag

nullmastermind · nullmastermind · commit 4b443dd7d10e · 2026-05-28T16:24:04.000+07:00
The global `miniAppsCrossOriginAccess` setting applied the same
security posture to every mini-app, making it impossible to
isolate automation-heavy apps from ones that don't need it.

- Move the flag from a global setting to `MiniAppDefinition` so
  each app opts in independently
- Default to `false` (secure) instead of the previous global `true`
- Persist and parse `allowCrossOrigin` in both workspace and
  JSON serialisation paths
- Expose a checkbox in `EditMiniAppsDialog` so users can toggle
  it per app with a clear security trade-off label
diff --git a/src/ApplicationSettings.cpp b/src/ApplicationSettings.cpp
@@ -107,10 +107,6 @@ CREATE_SETTING(QuickBrowser, LastProxyHost, lastProxyHost, QString, QStringLiter
 CREATE_SETTING(QuickBrowser, LastProxyPort, lastProxyPort, int, 0)
 CREATE_SETTING(QuickBrowser, LastProxyBypassList, lastProxyBypassList, QString, QStringLiteral(""))
 
-// Cross-origin iframe access for page-agent. Default ON — target users are
-// automation users who need page-agent to read cross-origin iframe content.
-CREATE_SETTING(MiniApps, MiniAppsCrossOriginAccess, miniAppsCrossOriginAccess, bool, true)
-
 CREATE_SETTING(Git, SyntaxHighlightDiffEnabled, syntaxHighlightDiffEnabled, bool, true)
 
 // Files-tab decoration master toggle — see file-tree-git-decorations spec.
diff --git a/src/ApplicationSettings.h b/src/ApplicationSettings.h
@@ -140,11 +140,6 @@ class ApplicationSettings : public QSettings
     DEFINE_SETTING(LastProxyPort, lastProxyPort, int)
     DEFINE_SETTING(LastProxyBypassList, lastProxyBypassList, QString)
 
-    // When true, WebView2 launches with --disable-web-security and
-    // --disable-site-isolation-trials so page-agent scripts can access
-    // cross-origin iframe content. Also gates Page.setBypassCSP.
-    DEFINE_SETTING(MiniAppsCrossOriginAccess, miniAppsCrossOriginAccess, bool)
-
     // Per-workspace task registry. Stored as a single JSON object:
     // { "<cleanPath>": [{"name":"...","command":"..."},...], ... }
     // Never deleted — tasks survive workspace close/removal.
diff --git a/src/MiniAppDefinition.h b/src/MiniAppDefinition.h
@@ -26,6 +26,7 @@ struct MiniAppDefinition
     QString proxyHost;
     int proxyPort = 0;            // 0 = use scheme default
     QString proxyBypassList;
+    bool allowCrossOrigin = false;
 
     bool isValid() const { return !name.isEmpty() && !url.isEmpty(); }
 
diff --git a/src/MiniAppManager.cpp b/src/MiniAppManager.cpp
@@ -240,7 +240,7 @@ void MiniAppManager::launchApp(const MiniAppDefinition &def)
     m_instances.append(instance);
     emit instanceCountChanged(m_instances.size());
 
-    instance->setAllowCrossOrigin(m_app->getSettings()->miniAppsCrossOriginAccess());
+    instance->setAllowCrossOrigin(def.allowCrossOrigin);
     instance->start();
 }
 
diff --git a/src/MiniAppRegistry.cpp b/src/MiniAppRegistry.cpp
@@ -72,6 +72,7 @@ QList<MiniAppDefinition> MiniAppRegistry::workspaceApps(const QString &workspace
         def.proxyHost = obj.value(QStringLiteral("proxyHost")).toString();
         def.proxyPort = obj.value(QStringLiteral("proxyPort")).toInt(0);
         def.proxyBypassList = obj.value(QStringLiteral("proxyBypassList")).toString();
+        def.allowCrossOrigin = obj.value(QStringLiteral("allowCrossOrigin")).toBool(false);
         if (!def.name.isEmpty())
             result.append(def);
     }
@@ -119,6 +120,7 @@ void MiniAppRegistry::setWorkspaceApps(const QString &workspacePath, const QList
             if (def.proxyPort > 0) obj.insert(QStringLiteral("proxyPort"), def.proxyPort);
             if (!def.proxyBypassList.isEmpty()) obj.insert(QStringLiteral("proxyBypassList"), def.proxyBypassList);
         }
+        if (def.allowCrossOrigin) obj.insert(QStringLiteral("allowCrossOrigin"), true);
         arr.append(obj);
     }
 
@@ -186,6 +188,7 @@ QList<MiniAppDefinition> MiniAppRegistry::parseJson(const QString &json)
         def.proxyHost = obj.value(QStringLiteral("proxyHost")).toString();
         def.proxyPort = obj.value(QStringLiteral("proxyPort")).toInt(0);
         def.proxyBypassList = obj.value(QStringLiteral("proxyBypassList")).toString();
+        def.allowCrossOrigin = obj.value(QStringLiteral("allowCrossOrigin")).toBool(false);
         if (!def.name.isEmpty())
             result.append(def);
     }
@@ -216,6 +219,7 @@ QString MiniAppRegistry::toJson(const QList<MiniAppDefinition> &apps)
             if (def.proxyPort > 0) obj.insert(QStringLiteral("proxyPort"), def.proxyPort);
             if (!def.proxyBypassList.isEmpty()) obj.insert(QStringLiteral("proxyBypassList"), def.proxyBypassList);
         }
+        if (def.allowCrossOrigin) obj.insert(QStringLiteral("allowCrossOrigin"), true);
         arr.append(obj);
     }
     return QString::fromUtf8(QJsonDocument(arr).toJson(QJsonDocument::Compact));
diff --git a/src/dialogs/EditMiniAppsDialog.cpp b/src/dialogs/EditMiniAppsDialog.cpp
@@ -7,6 +7,7 @@
 
 #include "EditMiniAppsDialog.h"
 
+#include <QCheckBox>
 #include <QComboBox>
 #include <QDialogButtonBox>
 #include <QDir>
@@ -161,6 +162,13 @@ EditMiniAppsDialog::EditMiniAppsDialog(MiniAppRegistry *registry,
     debugLayout->addWidget(m_portWarningLabel);
     formLayout->addWidget(m_debugGroup);
 
+    // Cross-origin access checkbox
+    m_crossOriginCheck = new QCheckBox(tr("Allow cross-origin iframe access (better automation, less security)"), rightWidget);
+    m_crossOriginCheck->setToolTip(
+        tr("Disables browser sandbox isolation so scripts can access cross-origin iframe content.\n"
+           "Improves automation coverage but reduces security."));
+    formLayout->addWidget(m_crossOriginCheck);
+
     // Proxy section (collapsible)
     m_proxyGroup = new QGroupBox(tr("Proxy"), rightWidget);
     m_proxyGroup->setCheckable(true);
@@ -311,6 +319,7 @@ void EditMiniAppsDialog::commitCurrentApp()
     def.proxyHost = m_proxyGroup->isChecked() ? m_proxyHostEdit->text().trimmed() : QString();
     def.proxyPort = m_proxyGroup->isChecked() ? m_proxyPortSpin->value() : 0;
     def.proxyBypassList = m_proxyGroup->isChecked() ? m_proxyBypassEdit->text().trimmed() : QString();
+    def.allowCrossOrigin = m_crossOriginCheck->isChecked();
 
     // Ensure ID
     if (def.id.isEmpty())
@@ -336,6 +345,7 @@ void EditMiniAppsDialog::loadApp(int row)
     m_timeoutSpin->setEnabled(valid);
     m_debugPortSpin->setEnabled(valid);
     m_randomPortBtn->setEnabled(valid);
+    m_crossOriginCheck->setEnabled(valid);
 
     if (!valid) {
         m_nameEdit->clear();
@@ -351,6 +361,7 @@ void EditMiniAppsDialog::loadApp(int row)
         m_proxyHostEdit->clear();
         m_proxyPortSpin->setValue(0);
         m_proxyBypassEdit->clear();
+        m_crossOriginCheck->setChecked(false);
         m_proxyWarningLabel->hide();
         m_urlWarningLabel->hide();
         m_envWarningLabel->hide();
@@ -377,6 +388,7 @@ void EditMiniAppsDialog::loadApp(int row)
     m_proxyHostEdit->setText(def.proxyHost);
     m_proxyPortSpin->setValue(def.proxyPort);
     m_proxyBypassEdit->setText(def.proxyBypassList);
+    m_crossOriginCheck->setChecked(def.allowCrossOrigin);
     m_urlWarningLabel->hide();
     m_portWarningLabel->hide();
     validateFields();
diff --git a/src/dialogs/EditMiniAppsDialog.h b/src/dialogs/EditMiniAppsDialog.h
@@ -13,6 +13,7 @@
 #include <QDialog>
 #include <QList>
 
+class QCheckBox;
 class QComboBox;
 class QDialogButtonBox;
 class QGroupBox;
@@ -93,6 +94,9 @@ private slots:
     QLineEdit *m_proxyBypassEdit = nullptr;
     QLabel *m_proxyWarningLabel = nullptr;
 
+    // Cross-origin
+    QCheckBox *m_crossOriginCheck = nullptr;
+
     QLabel *m_urlWarningLabel = nullptr;
     QDialogButtonBox *m_buttonBox = nullptr;
 };

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ void MiniAppManager::launchApp(const MiniAppDefinition &def)`
`240`	`240`	`m_instances.append(instance);`
`241`	`241`	`emit instanceCountChanged(m_instances.size());`
`242`	`242`
`243`		`- instance->setAllowCrossOrigin(m_app->getSettings()->miniAppsCrossOriginAccess());`
	`243`	`+ instance->setAllowCrossOrigin(def.allowCrossOrigin);`
`244`	`244`	`instance->start();`
`245`	`245`	`}`
`246`	`246`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ QList<MiniAppDefinition> MiniAppRegistry::workspaceApps(const QString &workspace`
`72`	`72`	`def.proxyHost = obj.value(QStringLiteral("proxyHost")).toString();`
`73`	`73`	`def.proxyPort = obj.value(QStringLiteral("proxyPort")).toInt(0);`
`74`	`74`	`def.proxyBypassList = obj.value(QStringLiteral("proxyBypassList")).toString();`
	`75`	`+ def.allowCrossOrigin = obj.value(QStringLiteral("allowCrossOrigin")).toBool(false);`
`75`	`76`	`if (!def.name.isEmpty())`
`76`	`77`	`result.append(def);`
`77`	`78`	`}`
`@@ -119,6 +120,7 @@ void MiniAppRegistry::setWorkspaceApps(const QString &workspacePath, const QList`
`119`	`120`	`if (def.proxyPort > 0) obj.insert(QStringLiteral("proxyPort"), def.proxyPort);`
`120`	`121`	`if (!def.proxyBypassList.isEmpty()) obj.insert(QStringLiteral("proxyBypassList"), def.proxyBypassList);`
`121`	`122`	`}`
	`123`	`+ if (def.allowCrossOrigin) obj.insert(QStringLiteral("allowCrossOrigin"), true);`
`122`	`124`	`arr.append(obj);`
`123`	`125`	`}`
`124`	`126`
`@@ -186,6 +188,7 @@ QList<MiniAppDefinition> MiniAppRegistry::parseJson(const QString &json)`
`186`	`188`	`def.proxyHost = obj.value(QStringLiteral("proxyHost")).toString();`
`187`	`189`	`def.proxyPort = obj.value(QStringLiteral("proxyPort")).toInt(0);`
`188`	`190`	`def.proxyBypassList = obj.value(QStringLiteral("proxyBypassList")).toString();`
	`191`	`+ def.allowCrossOrigin = obj.value(QStringLiteral("allowCrossOrigin")).toBool(false);`
`189`	`192`	`if (!def.name.isEmpty())`
`190`	`193`	`result.append(def);`
`191`	`194`	`}`
`@@ -216,6 +219,7 @@ QString MiniAppRegistry::toJson(const QList<MiniAppDefinition> &apps)`
`216`	`219`	`if (def.proxyPort > 0) obj.insert(QStringLiteral("proxyPort"), def.proxyPort);`
`217`	`220`	`if (!def.proxyBypassList.isEmpty()) obj.insert(QStringLiteral("proxyBypassList"), def.proxyBypassList);`
`218`	`221`	`}`
	`222`	`+ if (def.allowCrossOrigin) obj.insert(QStringLiteral("allowCrossOrigin"), true);`
`219`	`223`	`arr.append(obj);`
`220`	`224`	`}`
`221`	`225`	`return QString::fromUtf8(QJsonDocument(arr).toJson(QJsonDocument::Compact));`