[webkit-gtk] Modifying HTML before loading it in a WebView

Michael Gratton mike at vee.net
Thu Oct 6 20:45:05 PDT 2016 

Hey Adrián,

Thanks for the suggestions and feedback — I've actually started work 
on this and so am now running into these issues.

On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro 
<aperez at igalia.com> wrote:
>>  One of the things that needs to be taken care of is how Geary does
>>  manipulates an HTML email's markup before loading it into a WebView.
>>  This is done for a few reasons: Applying app-specific and 
>> user-specific
>>  CSS, to implement collapsible quote sections, for handling loading 
>> of
>>  inline and attached images, and to ensure that bulk and junk 
>> messages
>>  containing bugged remote images, etc. aren't automatically 
>> triggered.
> 
> You may want to consider using WebKitUserContentManager [1]. In 
> short, it
> allows you to inject CSS and JavaScript snippets into content loaded 
> in a
> WebKitWebView. The injected JavaScript code runs in the WebProcess, 
> in the
> same context as the loaded web content, and it can manipulate it in 
> any
> way it wants, using the DOM and all the rest of web APIs.
> 
> Additionally, you can register a “message handler”, which allows 
> you to
> send messages from JavaScript with:
> 
>   window.webkit.messageHandlers.<handler-name>.postMessage(value)
> 
> When that function is called from JavaScript, “value” is 
> serialized and
> sent to the UIProcess (your application), and the 
> WebKitUserContentManager
> emits the “script-message-received::<handler-name>” signal.
> 
> If you need to send messages from the UIProcess to the WebProcess, 
> you can
> use webkit_web_view_run_javascript() e.g. to call JavaScript 
> functions which
> have been defined in your injected scripts.

This mechanism sounds good, and I might be able to get away with using 
this rather than implementing a WebExtension, except for one thing: It 
quite reasonably seems to require JavaScript is enabled for 
webkit_web_view_run_javascript() to work, and currently Geary disables 
JavaScript since it's not widely required for HTML email, and since it 
reduces the size of the malware attack surface.

I'm reluctant to re-enable JS because of the secuity angle, but was 
wondering if, aside from playing wack-a-mole by removing SCRIPT 
elements on HTML mail, if there is some mechanism to allow 
WebKitUserContentManager scripts and webkit_web_view_run_javascript() 
to function, while preventing JS in the HTML from executing?

Ta!

//Mike

-- 
⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20161007/fab01f27/attachment.html>

More information about the webkit-gtk mailing list