[webkit-gtk] Web process sandbox
Michael Catanzaro
mcatanzaro at igalia.com
Wed Jan 7 11:25:02 PST 2015
On Wed, Jan 7, 2015 at 11:57 AM, Martin Robinson <mrobinson at webkit.org>
wrote:
> Perhaps it makes sense that web extensions will need to rely on their
> client programs to access resources outside of the sandbox.
That works fine so long as the client program is written properly: the
client must not trust the web process. That seems obvious, but it's
inevitable that some application is just going to open() whatever the
web extension asks for and not realize that this is dangerous. In
contrast, an application author that grants the web process read access
to the root directory knows full well what he's doing.
The other downside is that changes in the sandbox will be harder to
manage. I want to prevent the web process from accessing the network
(when the network process is enabled). If that happens, a web extension
that, say, downloads adblock filters is going to break. Adding a URL to
a whitelist is a lot easier for the web extension author than modifying
the web extension to ask the UI process to load the URL.
The very considerable benefit, though, is that we don't have to add new
API. We might try this at first, see how many complaints we get, and
add API later if needed. No matter what we choose to do, changes to the
sandbox will give web extension authors a hard time.
> If we
> allow disabling the sandbox or make it simple to expand it, I fear
> that applications will simply switch it off, making their users much
> less secure.
This is also inevitable. I'm OK with making it mandatory.
How about an environment variable that gets checked only for debug
builds?
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150107/e6aa9575/attachment-0001.html>
More information about the webkit-gtk
mailing list