<div><br></div><div>Hey Adrián,</div><div><br></div><div>Thanks for the suggestions and feedback — I've actually started work on this and so am now running into these issues.</div><div><br></div>
On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <aperez@igalia.com> wrote:<br>
<blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;"><blockquote> One of the things that needs to be taken care of is how Geary does
manipulates an HTML email's markup before loading it into a WebView.
This is done for a few reasons: Applying app-specific and user-specific
CSS, to implement collapsible quote sections, for handling loading of
inline and attached images, and to ensure that bulk and junk messages
containing bugged remote images, etc. aren't automatically triggered.
</blockquote>
You may want to consider using WebKitUserContentManager [1]. In short, it
allows you to inject CSS and JavaScript snippets into content loaded in a
WebKitWebView. The injected JavaScript code runs in the WebProcess, in the
same context as the loaded web content, and it can manipulate it in any
way it wants, using the DOM and all the rest of web APIs.
Additionally, you can register a “message handler”, which allows you to
send messages from JavaScript with:
window.webkit.messageHandlers.<handler-name>.postMessage(value)
When that function is called from JavaScript, “value” is serialized and
sent to the UIProcess (your application), and the WebKitUserContentManager
emits the “script-message-received::<handler-name>” signal.
If you need to send messages from the UIProcess to the WebProcess, you can
use webkit_web_view_run_javascript() e.g. to call JavaScript functions which
have been defined in your injected scripts.</div></blockquote><div><br></div><div>This mechanism sounds good, and I might be able to get away with using this rather than implementing a WebExtension, except for one thing: It quite reasonably seems to require JavaScript is enabled for webkit_web_view_run_javascript() to work, and currently Geary disables JavaScript since it's not widely required for HTML email, and since it reduces the size of the malware attack surface.</div><div><br></div><div>I'm reluctant to re-enable JS because of the secuity angle, but was wondering if, aside from playing wack-a-mole by removing SCRIPT elements on HTML mail, if there is some mechanism to allow WebKitUserContentManager scripts and webkit_web_view_run_javascript() to function, while preventing JS in the HTML from executing?</div><div><br></div><div>Ta!</div><div><br></div><div>//Mike</div><div style="white-space: pre;">
--
⊨ Michael Gratton, Percept Wrangler.
⚙ <<a href="http://mjog.vee.net/">http://mjog.vee.net/</a>>
</div>