Re: WebApps functionality
- From: Michael Catanzaro <mcatanzaro gnome org>
- To: jeremiah foster puri sm
- Cc: epiphany-list gnome org
- Subject: Re: WebApps functionality
- Date: Mon, 20 Apr 2020 15:27:45 -0500
On Mon, Apr 20, 2020 at 12:43 pm, Jeremiah C. Foster
<jeremiah foster puri sm> wrote:
Right, this is where we are as well since we want the default browser
(Epiphany) to be sandboxed and flatpak is the current best practice.
There are other alternatives that might be useful for containment but
as you see the community seems quite invested in flatpak.
Epiphany 3.34 and newer are sandboxed even if you don't use flatpak. I
think you're shipping 3.32 currently? Anyway, it is a solved problem. :)
* If flatpak is not used, WebKitGTK will manually create its own
bubblewrap sandbox for each web process that it launches. This provides
flatpak-equivalent protection. The trusted UI process is not sandboxed,
but the untrusted web processes are, and that's where nearly all the
security bugs are.
* If flatpak is used, then sub-sandboxes are launched for each web
process using flatpak-spawn. (That might require 3.36, not sure.
Certainly it requires the latest WebKitGTK.)
Anyway, your users should be relatively safe as long as (a) you have
3.34 or newer, and (b) you update WebKitGTK whenever a new stable
version is released. (Don't rely on Debian to do this in a timely
manner. Current stable in 2.28.1.)
Michael
[
Date Prev][Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
