[webkit-gtk] Modifying HTML before loading it in a WebView

Fri Oct 7 00:25:13 PDT 2016

El vie, 07-10-2016 a las 14:45 +1100, Michael Gratton escribió:
> 
> Hey Adrián,
> 
> Thanks for the suggestions and feedback — I've actually started work
> on this and so am now running into these issues.
> 
> On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <aperez at igali
> a.com> wrote:
> >  One of the things that needs to be taken care of is how Geary
> > does 
> >  manipulates an HTML email's markup before loading it into a
> > WebView. 
> >  This is done for a few reasons: Applying app-specific and user-
> > specific 
> >  CSS, to implement collapsible quote sections, for handling loading
> > of 
> >  inline and attached images, and to ensure that bulk and junk
> > messages 
> >  containing bugged remote images, etc. aren't automatically
> > triggered.
> > 
> > You may want to consider using WebKitUserContentManager [1]. In
> > short, it
> > allows you to inject CSS and JavaScript snippets into content
> > loaded in a
> > WebKitWebView. The injected JavaScript code runs in the WebProcess,
> > in the
> > same context as the loaded web content, and it can manipulate it in
> > any
> > way it wants, using the DOM and all the rest of web APIs.
> > 
> > Additionally, you can register a “message handler”, which allows
> > you to
> > send messages from JavaScript with:
> > 
> >   window.webkit.messageHandlers.<handler-name>.postMessage(value)
> > 
> > When that function is called from JavaScript, “value” is serialized
> > and
> > sent to the UIProcess (your application), and the
> > WebKitUserContentManager
> > emits the “script-message-received::<handler-name>” signal.
> > 
> > If you need to send messages from the UIProcess to the WebProcess,
> > you can
> > use webkit_web_view_run_javascript() e.g. to call JavaScript
> > functions which
> > have been defined in your injected scripts.
> 
> This mechanism sounds good, and I might be able to get away with
> using this rather than implementing a WebExtension, except for one
> thing: It quite reasonably seems to require JavaScript is enabled for
> webkit_web_view_run_javascript() to work, and currently Geary
> disables JavaScript since it's not widely required for HTML email,
> and since it reduces the size of the malware attack surface.
> 
> I'm reluctant to re-enable JS because of the secuity angle, but was
> wondering if, aside from playing wack-a-mole by removing SCRIPT
> elements on HTML mail, if there is some mechanism to allow
> WebKitUserContentManager scripts and webkit_web_view_run_javascript()
> to function, while preventing JS in the HTML from executing?

That's a very good point, we'll check if that's possible, or wer'll try
to make it possible otherwise. 

> Ta!
> 
> //Mike
> 
> _______________________________________________
> webkit-gtk mailing list
> webkit-gtk at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-gtk
-- 
Carlos Garcia Campos
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20161007/3a7697fb/attachment.sig>