Hey Adrián,
Thanks for the suggestions and feedback — I've actually started work
on this and so am now running into these issues.
On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro
<[email protected]> wrote:
One of the things that needs to be taken care of is how Geary does
manipulates an HTML email's markup before loading it into a WebView.
This is done for a few reasons: Applying app-specific and
user-specific
CSS, to implement collapsible quote sections, for handling loading
of
inline and attached images, and to ensure that bulk and junk
messages
containing bugged remote images, etc. aren't automatically
triggered.
You may want to consider using WebKitUserContentManager [1]. In
short, it
allows you to inject CSS and JavaScript snippets into content loaded
in a
WebKitWebView. The injected JavaScript code runs in the WebProcess,
in the
same context as the loaded web content, and it can manipulate it in
any
way it wants, using the DOM and all the rest of web APIs.
Additionally, you can register a “message handler”, which allows
you to
send messages from JavaScript with:
window.webkit.messageHandlers.<handler-name>.postMessage(value)
When that function is called from JavaScript, “value” is
serialized and
sent to the UIProcess (your application), and the
WebKitUserContentManager
emits the “script-message-received::<handler-name>” signal.
If you need to send messages from the UIProcess to the WebProcess,
you can
use webkit_web_view_run_javascript() e.g. to call JavaScript
functions which
have been defined in your injected scripts.
This mechanism sounds good, and I might be able to get away with using
this rather than implementing a WebExtension, except for one thing: It
quite reasonably seems to require JavaScript is enabled for
webkit_web_view_run_javascript() to work, and currently Geary disables
JavaScript since it's not widely required for HTML email, and since it
reduces the size of the malware attack surface.
I'm reluctant to re-enable JS because of the secuity angle, but was
wondering if, aside from playing wack-a-mole by removing SCRIPT
elements on HTML mail, if there is some mechanism to allow
WebKitUserContentManager scripts and webkit_web_view_run_javascript()
to function, while preventing JS in the HTML from executing?
Ta!
//Mike
--
⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>
_______________________________________________
webkit-gtk mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-gtk
