[webkit-gtk] Web process sandbox

Michael Catanzaro mcatanzaro at igalia.com
Wed Jan 7 11:25:02 PST 2015


On Wed, Jan 7, 2015 at 11:57 AM, Martin Robinson <mrobinson at webkit.org> 
wrote:
> Perhaps it makes sense that web extensions will need to rely on their
> client programs to access resources outside of the sandbox.

That works fine so long as the client program is written properly: the 
client must not trust the web process. That seems obvious, but it's 
inevitable that some application is just going to open() whatever the 
web extension asks for and not realize that this is dangerous. In 
contrast, an application author that grants the web process read access 
to the root directory knows full well what he's doing.

The other downside is that changes in the sandbox will be harder to 
manage. I want to prevent the web process from accessing the network 
(when the network process is enabled). If that happens, a web extension 
that, say, downloads adblock filters is going to break. Adding a URL to 
a whitelist is a lot easier for the web extension author than modifying 
the web extension to ask the UI process to load the URL.

The very considerable benefit, though, is that we don't have to add new 
API. We might try this at first, see how many complaints we get, and 
add API later if needed. No matter what we choose to do, changes to the 
sandbox will give web extension authors a hard time.

> If we
> allow disabling the sandbox or make it simple to expand it, I fear
> that applications will simply switch it off, making their users much
> less secure.

This is also inevitable. I'm OK with making it mandatory.

How about an environment variable that gets checked only for debug 
builds?

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150107/e6aa9575/attachment-0001.html>


More information about the webkit-gtk mailing list