[Webkit-unassigned] [Bug 220117] [GTK] Remove webkit_web_context_set_sandbox_enabled() from GTK 4 API and block outrageous filesystem allowlists

Wed Oct 27 18:48:36 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=220117

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at gnome.org
            Summary|[GTK] Remove                |[GTK] Remove
                   |webkit_web_context_set_sand |webkit_web_context_set_sand
                   |box_enabled() from GTK 4    |box_enabled() from GTK 4
                   |API                         |API and block outrageous
                   |                            |filesystem allowlists

--- Comment #1 from Michael Catanzaro <mcatanzaro at gnome.org> ---
One more thing: we should crash if the application tries to allowlist / or /home or $HOME. We cannot prevent apps from allowlisting whatever they wish, but if they want to be stupid they should have to try somewhat harder than that.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/6a750613/attachment.htm>