[webkit-gtk] Modifying HTML before loading it in a WebView

Fri Oct 7 00:43:11 PDT 2016

2016-10-07 5:45 GMT+02:00 Michael Gratton <mike at vee.net>:

>
> Hey Adrián,
>
> Thanks for the suggestions and feedback — I've actually started work on
> this and so am now running into these issues.
>
> On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <aperez at igalia.com>
> wrote:
>
> One of the things that needs to be taken care of is how Geary does
> manipulates an HTML email's markup before loading it into a WebView. This
> is done for a few reasons: Applying app-specific and user-specific CSS, to
> implement collapsible quote sections, for handling loading of inline and
> attached images, and to ensure that bulk and junk messages containing
> bugged remote images, etc. aren't automatically triggered.
>
> You may want to consider using WebKitUserContentManager [1]. In short, it
> allows you to inject CSS and JavaScript snippets into content loaded in a
> WebKitWebView. The injected JavaScript code runs in the WebProcess, in the
> same context as the loaded web content, and it can manipulate it in any way
> it wants, using the DOM and all the rest of web APIs. Additionally, you can
> register a “message handler”, which allows you to send messages from
> JavaScript with: window.webkit.messageHandlers.<handler-name>.postMessage(value)
> When that function is called from JavaScript, “value” is serialized and
> sent to the UIProcess (your application), and the WebKitUserContentManager
> emits the “script-message-received::<handler-name>” signal. If you need
> to send messages from the UIProcess to the WebProcess, you can use
> webkit_web_view_run_javascript() e.g. to call JavaScript functions which
> have been defined in your injected scripts.
>
>
> This mechanism sounds good, and I might be able to get away with using
> this rather than implementing a WebExtension, except for one thing: It
> quite reasonably seems to require JavaScript is enabled for
> webkit_web_view_run_javascript() to work, and currently Geary disables
> JavaScript since it's not widely required for HTML email, and since it
> reduces the size of the malware attack surface.
>
> I'm reluctant to re-enable JS because of the secuity angle, but was
> wondering if, aside from playing wack-a-mole by removing SCRIPT elements on
> HTML mail, if there is some mechanism to allow WebKitUserContentManager
> scripts and webkit_web_view_run_javascript() to function, while
> preventing JS in the HTML from executing?
>

Hi

i've been doing similar stuff in node-webkitgtk, using
- a webextension to cancel all requests
- a user-injected script to observe document mutations and catch insertion
of script tags or onload attributes

However that last part is surely not 100% guaranteed because it's difficult
to track
all the ways javascript can execute on a web page.

Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20161007/ea718385/attachment.html>