[Webkit-unassigned] [Bug 189963] New: [WPE][GTK] Fix file:// URI access in sandbox

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=189963

            Bug ID: 189963
           Summary: [WPE][GTK] Fix file:// URI access in sandbox
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pgriffis at igalia.com
                CC: bugs-noreply at webkitgtk.org

Currently `file://` URIs are all handled by the NetworkProcess which does not have filesystem access.

Granting that access would defeat the purpose of the sandbox so this needs to be moved out of this process.

One idea would be creating a new LocalFileProcess or such so it could work but doesn't compromise every
websites NetworkProcess.

This cannot be solved by simply mounting requested URIs dynamically at runtime as all `bwrap` permissions
happen once at process creation and adding bind mounts later would require root permissions which is
not ideal.

We also cannot use the `document-portal` that flatpak uses because it does not handle
directories yet and doesn't have any solid plans how to do so.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180925/74dd3ccc/attachment-0001.html>