[webkit-dev] Intent to remove the WebCore::IconDatabase (GTK needs to make a decision)
ggaren at apple.com
Mon Jun 19 15:08:45 PDT 2017
>>>> Another minor comment: it seems like this new API returns raw data. It seems like the native way to use this would result in running untrusted data from the network through image decoders outside the Web Process sandbox. Do we have a way to avoid that?
>>> This came up while implementing it for Safari, too. In practice we didn't decode icons out-of-process before so this model was not a regression. I see value in offering this, but it's also something conscientious clients can do on their own with the raw data.
>> Didn’t we need to create the Safari ImageDecoder service to work around the problem of decoding untrusted icon images?
> That’s not going to be available to other participants in the WebKit Open Source projects.
Sorry — I don't mean to suggest that other projects should adopt Safari's ImageDecoder service. I just want to clarify that Maciej’s concern is more than theoretical.
I would add that I don’t like the idea that it’s the client’s job to be “conscientious” in order to achieve safe rendering of web content. The point of Modern WebKit as a framework is that all clients should get safe rendering by default.
Therefore, I think it’s a flaw that the current API vends only raw encoded data.
More information about the webkit-dev