isa/gnome-shell
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

portalHelper: Enable WebKit sandbox if available

Browse Source 
The portal helper is rather sensitive because potentially-hostile Wi-Fi
networks can decide to launch it whenever they want (by blocking the
user's connection to the nmcheck domain) and load whatever web content
they want into it. So having this unsandboxed is really extraordinarily
risky. Previously it was a risk we had to accept, because WebKit did not
have a web process sandbox, but now it does. So let's bubblewrap all the
things!

https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/983
This commit is contained in:
Michael Catanzaro 2020-02-05 22:18:11 +00:00 committed by Florian Müllner
parent ded4586781
commit 35063c9e7c
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
js/portalHelper/main.js
View File

@ -118,6 +118,10 @@ class PortalWindow extends Gtk.ApplicationWindow {
this._webContext = WebKit.WebContext.new_ephemeral();
this._webContext.set_cache_model(WebKit.CacheModel.DOCUMENT_VIEWER);
this._webContext.set_network_proxy_settings(WebKit.NetworkProxyMode.NO_PROXY, null);
if (this._webContext.set_sandbox_enabled) {
// We have WebKitGTK 2.26 or newer.
this._webContext.set_sandbox_enabled(true);
}
this._webView = WebKit.WebView.new_with_context(this._webContext);
this._webView.connect('decide-policy', this._onDecidePolicy.bind(this));