<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2016-10-07 5:45 GMT+02:00 Michael Gratton <span dir="ltr"><<a href="mailto:mike@vee.net" target="_blank">mike@vee.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br></div><div>Hey Adrián,</div><div><br></div><div>Thanks for the suggestions and feedback — I've actually started work on this and so am now running into these issues.</div><span class="gmail-"><div><br></div>
On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <<a href="mailto:aperez@igalia.com" target="_blank">aperez@igalia.com</a>> wrote:<br>
<blockquote type="cite"><div class="gmail-m_-8535351915212298323plaintext" style="white-space:pre-wrap"><blockquote> One of the things that needs to be taken care of is how Geary does
manipulates an HTML email's markup before loading it into a WebView.
This is done for a few reasons: Applying app-specific and user-specific
CSS, to implement collapsible quote sections, for handling loading of
inline and attached images, and to ensure that bulk and junk messages
containing bugged remote images, etc. aren't automatically triggered.
</blockquote>
You may want to consider using WebKitUserContentManager [1]. In short, it
allows you to inject CSS and JavaScript snippets into content loaded in a
WebKitWebView. The injected JavaScript code runs in the WebProcess, in the
same context as the loaded web content, and it can manipulate it in any
way it wants, using the DOM and all the rest of web APIs.
Additionally, you can register a “message handler”, which allows you to
send messages from JavaScript with:
window.webkit.messageHandlers.<wbr><handler-name>.postMessage(<wbr>value)
When that function is called from JavaScript, “value” is serialized and
sent to the UIProcess (your application), and the WebKitUserContentManager
emits the “script-message-received::<<wbr>handler-name>” signal.
If you need to send messages from the UIProcess to the WebProcess, you can
use webkit_web_view_run_<wbr>javascript() e.g. to call JavaScript functions which
have been defined in your injected scripts.</div></blockquote><div><br></div></span><div>This mechanism sounds good, and I might be able to get away with using this rather than implementing a WebExtension, except for one thing: It quite reasonably seems to require JavaScript is enabled for webkit_web_view_run_<wbr>javascript() to work, and currently Geary disables JavaScript since it's not widely required for HTML email, and since it reduces the size of the malware attack surface.</div><div><br></div><div>I'm reluctant to re-enable JS because of the secuity angle, but was wondering if, aside from playing wack-a-mole by removing SCRIPT elements on HTML mail, if there is some mechanism to allow WebKitUserContentManager scripts and webkit_web_view_run_<wbr>javascript() to function, while preventing JS in the HTML from executing?</div><div></div></blockquote></div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Hi</div><div class="gmail_extra"><br></div><div class="gmail_extra">i've been doing similar stuff in node-webkitgtk, using</div><div class="gmail_extra"><span style="font-size:12.800000190734863px">- a webextension to cancel all requests</span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px">- a user-injected script to observe document mutations and catch insertion of script tags or onload attributes</span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px"><br></span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px">However that last part is surely not 100% guaranteed because it's difficult to track</span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px">all the ways javascript can execute on a web page.</span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px"><br></span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px">Jérémy</span></div><div class="gmail_extra"><span style="font-size:12.800000190734863px"><br></span></div><div class="gmail_extra"><br></div></div>