[webkit-gtk] [Q] block all network accesses – how?

Albrecht Dreß albrecht.dress at posteo.de
Wed Aug 2 11:46:04 PDT 2023

Am 02.08.23 19:48 schrieb(en) Michael Catanzaro:
> On Wed, Aug 2 2023 at 04:47:47 PM +0000, Albrecht Dreß <albrecht.dress at posteo.de> wrote:
>> I use WebKitGtk in a MUA, which for privacy reasons shall block all external network accesses unless the user explicitly allows them.  Using a web extension, I could redirect these accesses to “about:blank”.  However, I /still/ see webkit opening tcp connections to the remote sites, which IMHO shouldn't happen, as it already leaks information to a potential attacker.
> You should be able to use the WebKitWebPage::send-request signal to block all network requests.

Please excuse my imprecise description – I *do* actually catch this signal in my extension.  The handler is connected in the WebExtension::page-created callback via

	g_signal_connect(web_page, "send-request", G_CALLBACK(send_request_cb), NULL);

and the latter callback changes the request URI to

	webkit_uri_request_set_uri(request, "about:blank");

unless the uri is already “about:blank” or starts with “cid:” or “data:”.  A debug message indicates that the signal is caught, and tcpdump doesn't show the http request, so I /think/ this part works as expected.

To me, this behavior looks as if the WebKitWebPage::send-request signal is fired only /after/ the connect() to the target host, but before the send(), which would perfectly explain my observations.

> If that doesn't work, it's probably a bug.

I see… so I should create a bug report in bugzilla?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20230802/efb6e35b/attachment-0001.bin>

More information about the webkit-gtk mailing list