From e3393a8ee5e825e0e9155b049bb2dbd17c3cd182 Mon Sep 17 00:00:00 2001
From: Brad Davis <bdavis@saintandreas.org>
Date: Fri, 28 Jun 2019 10:43:03 -0700
Subject: [PATCH] Apply URL validation to top level window QML

---
 .../src/scripting/DesktopScriptingInterface.cpp      | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/interface/src/scripting/DesktopScriptingInterface.cpp b/interface/src/scripting/DesktopScriptingInterface.cpp
index 8a34c8f2ba..ef5bd7abb9 100644
--- a/interface/src/scripting/DesktopScriptingInterface.cpp
+++ b/interface/src/scripting/DesktopScriptingInterface.cpp
@@ -117,5 +117,15 @@ InteractiveWindowPointer DesktopScriptingInterface::createWindow(const QString&
             Q_ARG(QVariantMap, properties));
         return interactiveWindow;
     }
-    return new InteractiveWindow(sourceUrl, properties);;
+
+
+    // The offscreen surface already validates against non-local QML sources, but we also need to ensure that 
+    // if we create top level QML, like dock widgets or other types of QQuickView containing desktop windows 
+    // that the source URL is permitted
+    const auto& urlValidator = OffscreenQmlSurface::getUrlValidator();
+    if (!urlValidator(sourceUrl)) {
+        return nullptr;
+    }
+
+    return new InteractiveWindow(sourceUrl, properties);
 }