[devhelp/wip/sandbox-webkitgtk] Sandbox WebKitGTK

[Sébastien Wilmet <swilmet src gnome org>]

commit 3d6a13b5805e1fa839a97f3a1d31e910a32b7905
Author: Sébastien Wilmet <swilmet gnome org>
Date:   Fri Apr 3 21:37:24 2020 +0200

    Sandbox WebKitGTK
    
    This requires WebKitGTK 2.26.
    
    And GLib 2.64 is needed for g_warning_once().
    
    Fixes https://gitlab.gnome.org/GNOME/devhelp/-/issues/22

 devhelp/dh-init.c     | 15 ++++++++++++---
 devhelp/dh-web-view.c |  8 ++++++--
 meson.build           |  4 ++--
 3 files changed, 20 insertions(+), 7 deletions(-)
---
diff --git a/devhelp/dh-init.c b/devhelp/dh-init.c
index 9cfc5e78..d13da5c6 100644
--- a/devhelp/dh-init.c
+++ b/devhelp/dh-init.c
@@ -1,13 +1,13 @@
 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
-/*
- * SPDX-FileCopyrightText: 2012 Aleksander Morgado <aleksander gnu org>
- * SPDX-FileCopyrightText: 2017 Sébastien Wilmet <swilmet gnome org>
+/* SPDX-FileCopyrightText: 2012 Aleksander Morgado <aleksander gnu org>
+ * SPDX-FileCopyrightText: 2017-2020 Sébastien Wilmet <swilmet gnome org>
  * SPDX-License-Identifier: GPL-3.0-or-later
  */
 
 #include "config.h"
 #include "dh-init.h"
 #include <glib/gi18n-lib.h>
+#include <webkit2/webkit2.h>
 #include "dh-book-list.h"
 #include "dh-profile.h"
 #include "dh-settings.h"
@@ -19,6 +19,9 @@
  *
  * This function can be called several times, but is meant to be called at the
  * beginning of main(), before any other Devhelp function call.
+ *
+ * Since version 3.38, this function enables the WebKitGTK sandbox by calling
+ * webkit_web_context_set_sandbox_enabled() on the default #WebKitWebContext.
  */
 void
 dh_init (void)
@@ -26,8 +29,14 @@ dh_init (void)
         static gboolean done = FALSE;
 
         if (!done) {
+                WebKitWebContext *webkit_context;
+
                 bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
                 bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+
+                webkit_context = webkit_web_context_get_default ();
+                webkit_web_context_set_sandbox_enabled (webkit_context, TRUE);
+
                 done = TRUE;
         }
 }
diff --git a/devhelp/dh-web-view.c b/devhelp/dh-web-view.c
index b3639c0a..be5d8fb2 100644
--- a/devhelp/dh-web-view.c
+++ b/devhelp/dh-web-view.c
@@ -1,6 +1,5 @@
 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
-/*
- * SPDX-FileCopyrightText: 2018 Sébastien Wilmet <swilmet gnome org>
+/* SPDX-FileCopyrightText: 2018-2020 Sébastien Wilmet <swilmet gnome org>
  * SPDX-License-Identifier: GPL-3.0-or-later
  */
 
@@ -468,12 +467,17 @@ static void
 dh_web_view_constructed (GObject *object)
 {
         DhWebView *view = DH_WEB_VIEW (object);
+        WebKitWebContext *webkit_context;
         WebKitSettings *webkit_settings;
         DhSettings *dh_settings;
 
         if (G_OBJECT_CLASS (dh_web_view_parent_class)->constructed != NULL)
                 G_OBJECT_CLASS (dh_web_view_parent_class)->constructed (object);
 
+        webkit_context = webkit_web_view_get_context (WEBKIT_WEB_VIEW (view));
+        if (!webkit_web_context_get_sandbox_enabled (webkit_context))
+                g_warning_once ("WebKitWebContext is not sandboxed.");
+
         webkit_settings = webkit_web_view_get_settings (WEBKIT_WEB_VIEW (view));
         webkit_settings_set_enable_back_forward_navigation_gestures (webkit_settings, TRUE);
 
diff --git a/meson.build b/meson.build
index daa6f553..b07884f4 100644
--- a/meson.build
+++ b/meson.build
@@ -34,9 +34,9 @@ LIBDEVHELP_LT_VERSION = '@0@.@1@.@2@'.format(lt_current, lt_revision, lt_age)
 
 WEBKITGTK_DEP_STR = 'webkit2gtk-4.0'
 libdevhelp_deps_array = [
-  ['gio-2.0', '>= 2.60'],
+  ['gio-2.0', '>= 2.64'],
   ['gtk+-3.0', '>= 3.22'],
-  [WEBKITGTK_DEP_STR, '>= 2.24']
+  [WEBKITGTK_DEP_STR, '>= 2.26']
 ]
 
 LIBDEVHELP_DEPS_STR = []