[webkit-gtk] [Q] block all network accesses – how?

Albrecht Dreß albrecht.dress at posteo.de
Wed Aug 2 09:47:47 PDT 2023 

Hi all,

I use WebKitGtk in a MUA, which for privacy reasons shall block all external network accesses unless the user explicitly allows them.  Using a web extension, I could redirect these accesses to “about:blank”.  However, I /still/ see webkit opening tcp connections to the remote sites, which IMHO shouldn't happen, as it already leaks information to a potential attacker.

To reproduce, see the attached trivial example.  Just say “make”, launch e.g. “sudo tcpdump -v tcp port 80” in a separate terminal, and then run “./samp-main Test.html”.

Performing the following actions
* launch the application at ~18:13:19: extension is loaded;
* click on the link at ~18:13:33: resulting in the redirect message from the extension;
* terminate the application at ~18:14:04.

produces these (connect and close) events in tcpdump:

<snip>
18:13:19.859002 IP (tos 0x0, ttl 64, id 27204, offset 0, flags [DF], proto TCP (6), length 60)
     10.0.2.15.35030 > debian.inf.tu-dresden.de.http: Flags [S], cksum 0x9b8d (incorrect -> 0x6ba9), seq 3403384906, win 64240, options [mss 1460,sackOK,TS val 1273241046 ecr 0,nop,wscale 7], length 0
18:13:19.896415 IP (tos 0x0, ttl 64, id 768, offset 0, flags [none], proto TCP (6), length 44)
     debian.inf.tu-dresden.de.http > 10.0.2.15.35030: Flags [S.], cksum 0xc1b3 (correct), seq 45440001, ack 3403384907, win 65535, options [mss 1460], length 0
18:13:19.896447 IP (tos 0x0, ttl 64, id 27205, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.35030 > debian.inf.tu-dresden.de.http: Flags [.], cksum 0x9b79 (incorrect -> 0xde7f), ack 1, win 64240, length 0
18:13:33.509046 IP (tos 0x0, ttl 64, id 27206, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.35030 > debian.inf.tu-dresden.de.http: Flags [F.], cksum 0x9b79 (incorrect -> 0xde7e), seq 1, ack 1, win 64240, length 0
18:13:33.509369 IP (tos 0x0, ttl 64, id 771, offset 0, flags [none], proto TCP (6), length 40)
     debian.inf.tu-dresden.de.http > 10.0.2.15.35030: Flags [.], cksum 0xd96f (correct), ack 2, win 65535, length 0
18:13:33.519920 IP (tos 0x0, ttl 64, id 7640, offset 0, flags [DF], proto TCP (6), length 60)
     10.0.2.15.55234 > www.netcologne.de.http: Flags [S], cksum 0x3901 (incorrect -> 0x4c71), seq 4271866237, win 64240, options [mss 1460,sackOK,TS val 4033707821 ecr 0,nop,wscale 7], length 0
18:13:33.540657 IP (tos 0x0, ttl 64, id 774, offset 0, flags [none], proto TCP (6), length 44)
     www.netcologne.de.http > 10.0.2.15.55234: Flags [S.], cksum 0x4443 (correct), seq 47104001, ack 4271866238, win 65535, options [mss 1460], length 0
18:13:33.540709 IP (tos 0x0, ttl 64, id 7641, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.55234 > www.netcologne.de.http: Flags [.], cksum 0x38ed (incorrect -> 0x610f), ack 1, win 64240, length 0
18:13:33.546343 IP (tos 0x0, ttl 64, id 775, offset 0, flags [none], proto TCP (6), length 40)
     debian.inf.tu-dresden.de.http > 10.0.2.15.35030: Flags [F.], cksum 0xd96e (correct), seq 1, ack 2, win 65535, length 0
18:13:33.546371 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.35030 > debian.inf.tu-dresden.de.http: Flags [.], cksum 0xde7d (correct), ack 2, win 64240, length 0
18:14:04.852170 IP (tos 0x0, ttl 64, id 7642, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.55234 > www.netcologne.de.http: Flags [F.], cksum 0x38ed (incorrect -> 0x610e), seq 1, ack 1, win 64240, length 0
18:14:04.852485 IP (tos 0x0, ttl 64, id 777, offset 0, flags [none], proto TCP (6), length 40)
     www.netcologne.de.http > 10.0.2.15.55234: Flags [.], cksum 0x5bff (correct), ack 2, win 65535, length 0
18:14:04.873083 IP (tos 0x0, ttl 64, id 778, offset 0, flags [none], proto TCP (6), length 40)
     www.netcologne.de.http > 10.0.2.15.55234: Flags [F.], cksum 0x5bfe (correct), seq 1, ack 2, win 65535, length 0
18:14:04.873104 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
     10.0.2.15.55234 > www.netcologne.de.http: Flags [.], cksum 0x610d (correct), ack 2, win 64240, length 0
</snip>

How is it possible to block these connections completely?  I use the library on Debian Bookworm, package libwebkit2gtk-4.1-0, version 2.40.3-2~deb12u2.

Thanks in advance,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.tar.bz2
Type: application/x-bzip-compressed-tar
Size: 1908 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20230802/99eba8ba/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20230802/99eba8ba/attachment-0001.bin>

More information about the webkit-gtk mailing list