On Thu, Jan 8, 2015 at 3:24 AM, Sergio Villar Senin <svillar@igalia.com> wrote:<br><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">If we want to use sandboxing my opinion is that we should be very active
restricting the potential capabilities of web extensions. Perhaps we
could declare some fixed safe filesystem path that all of them should
use or seomthing.</div></blockquote><div><br></div><div>That will work for most web extensions. I think we can do that for now: whitelist XDG_CONFIG_DIR/webkitgtk/web-extensions and XDG_DATA_DIR/webkitgtk/web-extensions for extensions to use to store data, and expect them to use it. If the web extension wants to touch something more interesting, it needs to go through the UI process. No new API. (Or just new properties on WebKitWebContext to allow changing those two whitelisted directories. Or not, to prevent browser writers from setting one to the root directory or home directory. OK, not.)</div><div><br></div><div>This only works so long as the sandbox limits itself to trapping filesystem-access calls. A stricter sandbox would try to block any system calls it doesn't use. If we want to do that with our sandbox (and we should not, at least not at first), then we really have to give the browser author or web extension full control over filters, or else it could become difficult or impossible to maintain a web extension.</div><div><br></div><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;"><blockquote> * We need a way to disable the sandbox (before the web process is
initialized), for testing purposes. That could be the form of API, say
webkit_web_context_set_web_extension_sandbox_enabled(WebKitWebContext *,
gboolean), but it'd probably be nicer to use an environment variable
like WEBKIT_SANDBOX_DISABLE.
</blockquote>
If that's for testing purposes only, it should be likely be part of the
WebCore's internals API.</div></blockquote><br><div>I was thinking we should provide something for application developers to allow testing web extensions. Thinking about this more, let's instead just provide some nice warning messages when the sandbox blocks something. (P.S. The sandbox is implemented in WebKit2, not WebCore.)</div><div><br></div><div>Happy Thursday,</div><div><br></div><div>Michael</div>