[Webkit-unassigned] [Bug 193439] [GTK][WPE] Add enable-javascript-markup setting

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 15 03:37:55 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=193439

Adrian Perez <aperez at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aperez at igalia.com

--- Comment #3 from Adrian Perez <aperez at igalia.com> ---
Comment on attachment 359147
  --> https://bugs.webkit.org/attachment.cgi?id=359147
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=359147&action=review

Informally reviewing, this would be a r- for my: the description
in the API documentation is seriously lacking, and the name of the
setting is quite bad (non-descriptive, and difficult to search
online for). I don't care what WebKit calls the setting internally,
I would rather have a name for it that better indicates what it does
*and* that we provide a good description of what the setting does and
its intended usage.

> Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:3582
> + * Returns: %TRUE If JavaScript markup is enabled or %FALSE otherwise.

What is “JavaScript Markup”? A specification, a WebKit specific concept?
Something widely understood among Web developers?... I think the documentation
for this setting needs an explanation of what the option does, as it is nearly
impossible to find anything about this topic that would seem relevant when
implementing an application which makes use of WebKit.

After some digging in the repository history I arrived at bug #112999 and
bug #113122 and it took me wading through a pile of comments and reading
some bits of the code to guess what the setting does. So please let's make
the API documentation better by adding something in the lines of:

  “Enabling this setting will strip <script> tags from loaded HTML
   content, but other forms of JavaScript execution e.g. using
   webkit_web_view_run_javascript() are still allowed. This setting
   is intended for applications which display HTML content but are
   not full browsers, and which want to avoid the risk of script
   injection attacks, as is the case of applications like e-mail
   and news readers.”

If possible it should be more concrete that the above explaining what
gets restricted and what not, because very often we programmers end up
introducing accidental security vulnerabilities due to assumptions we
make caused by incomplete documentation of third party code used.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190115/515d336e/attachment.html>

More information about the webkit-unassigned mailing list