Re: Sandbox all the WebKit!

From: Jordan Petridis <jordan alatiera com>
To: Michael Catanzaro <mcatanzaro gnome org>
Cc: desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: Sandbox all the WebKit!
Date: Wed, 17 Jun 2020 12:21:49 +0000

Hi,

One of the things I am wondering how does this fair with Flatpak'ed applications, since its what we are 
recommending nowdays for users to use.
My understanding is that the webkit bwrap sandbox is only functional in non-nested bwrap sessions which means 
that while the Flatpak apps might be sandboxed, they most likely still have network access and the media 
related processes for example are not isolated.

Is this accurate? and if so while Flatpak apps are already isolated from the host system to some extent, 
there isn't an easy way to cut of network access per-process unless you cut off access for the whole 
application. Are there any plans for addressing this?

Cheers,
Jordan



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, June 16, 2020 11:47 PM, Michael Catanzaro <mcatanzaro gnome org> wrote:

Hi,

Please help GNOME sandbox all its uses of WebKit! We're about halfway
done:

https://gitlab.gnome.org/GNOME/Initiatives/-/issues/19

If you maintain an application using WebKit that hasn't yet enabled the
sandbox, it usually only requires one or two lines of code.
Applications that use a web process extension may be more complicated,
but we don't have many of those.

Michael

desktop-devel-list mailing list
desktop-devel-list gnome org
https://mail.gnome.org/mailman/listinfo/desktop-devel-list

Follow-Ups:
- Re: Sandbox all the WebKit!
  - From: Michael Catanzaro

References:
- Sandbox all the WebKit!
  - From: Michael Catanzaro

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]