[webkit-gtk] Web process sandbox
Michael Catanzaro
mcatanzaro at igalia.com
Thu Jan 8 04:51:08 PST 2015
On Thu, Jan 8, 2015 at 3:24 AM, Sergio Villar Senin
<svillar at igalia.com> wrote:
> If we want to use sandboxing my opinion is that we should be very
> active
> restricting the potential capabilities of web extensions. Perhaps we
> could declare some fixed safe filesystem path that all of them should
> use or seomthing.
That will work for most web extensions. I think we can do that for now:
whitelist XDG_CONFIG_DIR/webkitgtk/web-extensions and
XDG_DATA_DIR/webkitgtk/web-extensions for extensions to use to store
data, and expect them to use it. If the web extension wants to touch
something more interesting, it needs to go through the UI process. No
new API. (Or just new properties on WebKitWebContext to allow changing
those two whitelisted directories. Or not, to prevent browser writers
from setting one to the root directory or home directory. OK, not.)
This only works so long as the sandbox limits itself to trapping
filesystem-access calls. A stricter sandbox would try to block any
system calls it doesn't use. If we want to do that with our sandbox
(and we should not, at least not at first), then we really have to give
the browser author or web extension full control over filters, or else
it could become difficult or impossible to maintain a web extension.
>> * We need a way to disable the sandbox (before the web process is
>> initialized), for testing purposes. That could be the form of API,
>> say
>>
>> webkit_web_context_set_web_extension_sandbox_enabled(WebKitWebContext
>> *,
>> gboolean), but it'd probably be nicer to use an environment variable
>> like WEBKIT_SANDBOX_DISABLE.
>
> If that's for testing purposes only, it should be likely be part of
> the
> WebCore's internals API.
I was thinking we should provide something for application developers
to allow testing web extensions. Thinking about this more, let's
instead just provide some nice warning messages when the sandbox blocks
something. (P.S. The sandbox is implemented in WebKit2, not WebCore.)
Happy Thursday,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150108/f9740aa1/attachment.html>
More information about the webkit-gtk
mailing list