From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Qiantan Hong <qhong@mit.edu>
Newsgroups: gmane.emacs.devel
Subject: Enabling Sandboxing for WebKitGTK Xwidgets
Date: Thu, 27 Aug 2020 01:57:20 +0000
Message-ID: <0960AC5E-E5DD-4821-A9A3-A1E297058189@mit.edu>
Mime-Version: 1.0
Content-Type: multipart/signed;
 boundary="Apple-Mail=_9D28FC96-4CF8-44C8-B4A4-03A0F69648AE";
 protocol="application/pkcs7-signature"; micalg=sha-256
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="12239"; mail-complaints-to="usenet@ciao.gmane.io"
To: "emacs-devel@gnu.org" <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Aug 27 05:23:38 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kB8Vl-00035s-9M
	for ged-emacs-devel@m.gmane-mx.org; Thu, 27 Aug 2020 05:23:37 +0200
Original-Received: from localhost ([::1]:45580 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kB8Vk-0000YL-5h
	for ged-emacs-devel@m.gmane-mx.org; Wed, 26 Aug 2020 23:23:36 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:56628)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <qhong@mit.edu>) id 1kB7Gx-0000an-Bt
 for emacs-devel@gnu.org; Wed, 26 Aug 2020 22:04:15 -0400
Original-Received: from outgoing-exchange-1.mit.edu ([18.9.28.15]:42806)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <qhong@mit.edu>) id 1kB7Gv-0001nc-93
 for emacs-devel@gnu.org; Wed, 26 Aug 2020 22:04:14 -0400
Original-Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU
 [18.7.73.15])
 by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 07R1vL8l029299
 for <emacs-devel@gnu.org>; Wed, 26 Aug 2020 21:57:21 -0400
Original-Received: from oc11expo16.exchange.mit.edu (18.9.4.47) by
 w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id
 15.0.1293.2; Wed, 26 Aug 2020 21:57:09 -0400
Original-Received: from oc11expo16.exchange.mit.edu (18.9.4.47) by
 oc11expo16.exchange.mit.edu (18.9.4.47) with Microsoft SMTP Server (TLS) id
 15.0.1365.1; Wed, 26 Aug 2020 21:57:20 -0400
Original-Received: from oc11expo16.exchange.mit.edu ([18.9.4.47]) by
 oc11expo16.exchange.mit.edu ([18.9.4.47]) with mapi id 15.00.1365.000; Wed,
 26 Aug 2020 21:57:20 -0400
Thread-Topic: Enabling Sandboxing for WebKitGTK Xwidgets
Thread-Index: AQHWfBVmHomJ7F+MlkSpr8Ycw23Mlw==
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [18.18.245.17]
Received-SPF: pass client-ip=18.9.28.15; envelope-from=qhong@mit.edu;
 helo=outgoing-exchange-1.mit.edu
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 21:57:21
X-ACL-Warn: Detected OS   = Windows 7 (Websense crawler)
X-Spam_score_int: -41
X-Spam_score: -4.2
X-Spam_bar: ----
X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Wed, 26 Aug 2020 23:22:51 -0400
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:254268
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/254268>

--Apple-Mail=_9D28FC96-4CF8-44C8-B4A4-03A0F69648AE
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_2763BD3B-B130-476E-976A-E766205D2A65"


--Apple-Mail=_2763BD3B-B130-476E-976A-E766205D2A65
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi,

Currently the WebKitGTK Xwidgets don=E2=80=99t sandbox web processes,
which is a major security risk when using it to access contents from
Internet. A reference can be found at
https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/

A patch to enable sandboxing is attached.

Best,
Qiantan

qhong@mit.edu




--Apple-Mail=_2763BD3B-B130-476E-976A-E766205D2A65
Content-Type: multipart/mixed;
	boundary="Apple-Mail=_8A2D33A2-0B78-4CA1-BE03-FAEF73F99470"


--Apple-Mail=_8A2D33A2-0B78-4CA1-BE03-FAEF73F99470
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D"">Hi,<div class=3D""><br class=3D""></div><div =
class=3D"">Currently the WebKitGTK Xwidgets don=E2=80=99t sandbox web =
processes,</div><div class=3D"">which is a major security risk when =
using it to access contents from</div><div class=3D"">Internet. A =
reference can be found at</div><div class=3D""><a =
href=3D"https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk=
-apps/" =
class=3D"">https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkit=
gtk-apps/</a></div><div class=3D""><br class=3D""></div><div class=3D"">A =
patch to enable sandboxing is attached.</div><div =
class=3D""></div></body></html>=

--Apple-Mail=_8A2D33A2-0B78-4CA1-BE03-FAEF73F99470
Content-Disposition: attachment;
	filename=0001-Enable-Sandboxing-for-WebKitGTK-Xwidgets.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="0001-Enable-Sandboxing-for-WebKitGTK-Xwidgets.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=204f258f00092f633e2b8cff15ef4038f0b094b2ee=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20Qiantan=20Hong=20<qhong@mit.edu>=0ADate:=20=
Wed,=2026=20Aug=202020=2021:02:54=20-0400=0ASubject:=20[PATCH]=20Enable=20=
Sandboxing=20for=20WebKitGTK=20Xwidgets=0A=0ACall=20=
webkit_web_context_get_default=20()=20before=20creation=20of=0Athe=20=
first=20WebKitWebView=20instance.=0A---=0A=20src/xwidget.c=20|=207=20=
+++++++=0A=201=20file=20changed,=207=20insertions(+)=0A=0Adiff=20--git=20=
a/src/xwidget.c=20b/src/xwidget.c=0Aindex=20154b3e9c82..5cfdcf234f=20=
100644=0A---=20a/src/xwidget.c=0A+++=20b/src/xwidget.c=0A@@=20-114,6=20=
+114,13=20@@=20DEFUN=20("make-xwidget",=0A=20=20=20if=20(EQ=20(xw->type,=20=
Qwebkit))=0A=20=20=20=20=20{=0A=20=20=20=20=20=20=20block_input=20();=0A=
+=0A+=20=20=20=20=20=20WebKitWebContext=20*=20webkit_context=20=3D=20=
webkit_web_context_get_default=20();=0A+=20=20=20=20=20=20if=20=
(!webkit_web_context_get_sandbox_enabled=20(webkit_context))=0A+=20=20=20=
=20=20=20=20=20{=0A+=20=20=20=20=20=20=20=20=20=20=
webkit_web_context_set_sandbox_enabled=20(webkit_context,=20TRUE);=0A+=20=
=20=20=20=20=20=20=20}=0A+=0A=20=20=20=20=20=20=20xw->widgetwindow_osr=20=
=3D=20gtk_offscreen_window_new=20();=0A=20=20=20=20=20=20=20=
gtk_window_resize=20(GTK_WINDOW=20(xw->widgetwindow_osr),=20xw->width,=0A=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20xw->height);=0A--=20=0A2.20.1=20(Apple=20Git-117)=0A=0A=

--Apple-Mail=_8A2D33A2-0B78-4CA1-BE03-FAEF73F99470
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
class=3D""></div><br class=3D""><div class=3D"">
<div style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
text-decoration: none;">Best,</div><div style=3D"caret-color: rgb(0, 0, =
0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; text-decoration: =
none;">Qiantan</div><div style=3D"caret-color: rgb(0, 0, 0); color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant-caps: normal; font-weight: normal; letter-spacing: =
normal; orphans: auto; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; widows: auto; word-spacing: =
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
text-decoration: none;"><br class=3D""></div><div style=3D"caret-color: =
rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; text-decoration: none;"><a =
href=3D"mailto:qhong@mit.edu" class=3D"">qhong@mit.edu</a></div><div =
style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><br =
class=3D""></div><br class=3D"Apple-interchange-newline">
</div>
<br class=3D""></body></html>=

--Apple-Mail=_8A2D33A2-0B78-4CA1-BE03-FAEF73F99470--

--Apple-Mail=_2763BD3B-B130-476E-976A-E766205D2A65--

--Apple-Mail=_9D28FC96-4CF8-44C8-B4A4-03A0F69648AE
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCA70w
ggO5MIIDIqADAgECAhAaql39NsO1qLVjkS2hl517MA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNVBAYT
AlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
dHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjEwHhcNMjAwODAzMDEyNDIz
WhcNMjEwODAxMDEyNDIzWjCBoTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
LjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsT
DENsaWVudCBDQSB2MTEVMBMGA1UEAxMMUWlhbnRhbiBIb25nMRwwGgYJKoZIhvcNAQkBFg1xaG9u
Z0BNSVQuRURVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylUlEQdK4BSXKzoGh6As
CKN/TpLmC0kjhPdxUKMj1/86Xl6GDCla4h95uISDOWVAKdu3cIlA8m9zRLT2jNEIkt1DVpXP6c9h
y8RRyfJm0qlrvr6tsHi5AmO4Li6s2dEGaTxbakPL6vEn7ZYr86t5orq56nubki77Z8ZvRv9/fWdF
bF/YBNGDayLNk0NbXIEQdCHiz1l+bxfw+GHHRmdOge3MKWSg463+GGMdxtLQ61AbtR2vm47FIJBt
c0X6ptcInWUg4Nf/9vSNGl6KvREvfbEWKCT6TfL5ncIFlitf6ZWKue2PZ4ULFfIQ3/7EsEk03xxr
S7sTOy7e2dbPboe/WwIDAQABo4GhMIGeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFDeb9Jlj
XSm+y0CD872IhzRDIGv1MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jYS5taXQuZWR1L2NhL21p
dGNsaWVudC5jcmwwDQYJKoZIhvcNAQELBQADgYEApBTx4tBbD5rQ+bNGd/Z3OBV07qFsm5QHNg0+
6lxJ3j7q5zMMq35o6y5cBIhcFG6t+MFqJIdERZ3EprDturyqozQsIBMHFnqh+iZcMg0uQyssEqKZ
hrzIdw8GuY4Z6jNewdGy5mwwG9yjpEbzWWgdofSM5rnezZz7EvCQu9ilt1sxggNDMIIDPwIBATCB
gDBsMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwGA1UEChMlTWFzc2Fj
aHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEVMBMGA1UECxMMQ2xpZW50IENBIHYxAhAa
ql39NsO1qLVjkS2hl517MA0GCWCGSAFlAwQCAQUAoIIBkzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA4MjcwMTU3MjBaMC8GCSqGSIb3DQEJBDEiBCDNCJeta6aC
osnW3QTJrZJsyFv9Pr2+gBNN7FrhJLx+uDCBkQYJKwYBBAGCNxAEMYGDMIGAMGwxCzAJBgNVBAYT
AlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
dHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjECEBqqXf02w7WotWORLaGX
nXswgZMGCyqGSIb3DQEJEAILMYGDoIGAMGwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo
dXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRUw
EwYDVQQLEwxDbGllbnQgQ0EgdjECEBqqXf02w7WotWORLaGXnXswDQYJKoZIhvcNAQEBBQAEggEA
SJ0FdjfGPz3D//x/bomL0SPAO3efnVRBs76jt0u4ztXdAogkYgzQqZqQf9PjHL25YGbaBkbkdOXv
zqoevRVwNQaqjz9XMRRXlNFYGCLv35P+93DD3OpLy1FVx0qZcGikgaKPVPU6MDgCfGib/uUfp5Sj
CrPsjxZHVk4lZJVvDpuEg5nQSL9axB9Vh5kPdTy5ojy6cLd6yKkcl7CKV+7agJTAq2P6ZhagV01H
S9X7uYikvext38xsjH59rRmccPqN/kU8fpHMJXStuQXe+iscxWJkJrjeWb4B04Zs/lk2bgrUVMtW
ileTV09SM9x4gaFkp7EA8lerOxPZrkC0oCT/ZgAAAAAAAA==

--Apple-Mail=_9D28FC96-4CF8-44C8-B4A4-03A0F69648AE--