[gnome-shell/mcatanzaro/sandbox-portal-helper: 3/3] portalHelper: Enable WebKit sandbox if available

[Florian Müllner <fmuellner src gnome org>]

commit 35063c9e7c2f145fc4328cda53c9651a2ee73cf6
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Wed Feb 5 22:18:11 2020 +0000

    portalHelper: Enable WebKit sandbox if available
    
    The portal helper is rather sensitive because potentially-hostile Wi-Fi
    networks can decide to launch it whenever they want (by blocking the
    user's connection to the nmcheck domain) and load whatever web content
    they want into it. So having this unsandboxed is really extraordinarily
    risky. Previously it was a risk we had to accept, because WebKit did not
    have a web process sandbox, but now it does. So let's bubblewrap all the
    things!
    
    https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/983

 js/portalHelper/main.js | 4 ++++
 1 file changed, 4 insertions(+)
---
diff --git a/js/portalHelper/main.js b/js/portalHelper/main.js
index b0e568dacb..88adc1b8df 100644
--- a/js/portalHelper/main.js
+++ b/js/portalHelper/main.js
@@ -118,6 +118,10 @@ class PortalWindow extends Gtk.ApplicationWindow {
         this._webContext = WebKit.WebContext.new_ephemeral();
         this._webContext.set_cache_model(WebKit.CacheModel.DOCUMENT_VIEWER);
         this._webContext.set_network_proxy_settings(WebKit.NetworkProxyMode.NO_PROXY, null);
+        if (this._webContext.set_sandbox_enabled) {
+            // We have WebKitGTK 2.26 or newer.
+            this._webContext.set_sandbox_enabled(true);
+        }
 
         this._webView = WebKit.WebView.new_with_context(this._webContext);
         this._webView.connect('decide-policy', this._onDecidePolicy.bind(this));