El vie, 07-10-2016 a las 14:45 +1100, Michael Gratton escribió: > > Hey Adrián, > > Thanks for the suggestions and feedback — I've actually started work > on this and so am now running into these issues. > > On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <aperez@igali > a.com> wrote: > > One of the things that needs to be taken care of is how Geary > > does > > manipulates an HTML email's markup before loading it into a > > WebView. > > This is done for a few reasons: Applying app-specific and user- > > specific > > CSS, to implement collapsible quote sections, for handling loading > > of > > inline and attached images, and to ensure that bulk and junk > > messages > > containing bugged remote images, etc. aren't automatically > > triggered. > > > > You may want to consider using WebKitUserContentManager [1]. In > > short, it > > allows you to inject CSS and JavaScript snippets into content > > loaded in a > > WebKitWebView. The injected JavaScript code runs in the WebProcess, > > in the > > same context as the loaded web content, and it can manipulate it in > > any > > way it wants, using the DOM and all the rest of web APIs. > > > > Additionally, you can register a “message handler”, which allows > > you to > > send messages from JavaScript with: > > > > window.webkit.messageHandlers.<handler-name>.postMessage(value) > > > > When that function is called from JavaScript, “value” is serialized > > and > > sent to the UIProcess (your application), and the > > WebKitUserContentManager > > emits the “script-message-received::<handler-name>” signal. > > > > If you need to send messages from the UIProcess to the WebProcess, > > you can > > use webkit_web_view_run_javascript() e.g. to call JavaScript > > functions which > > have been defined in your injected scripts. > > This mechanism sounds good, and I might be able to get away with > using this rather than implementing a WebExtension, except for one > thing: It quite reasonably seems to require JavaScript is enabled for > webkit_web_view_run_javascript() to work, and currently Geary > disables JavaScript since it's not widely required for HTML email, > and since it reduces the size of the malware attack surface. > > I'm reluctant to re-enable JS because of the secuity angle, but was > wondering if, aside from playing wack-a-mole by removing SCRIPT > elements on HTML mail, if there is some mechanism to allow > WebKitUserContentManager scripts and webkit_web_view_run_javascript() > to function, while preventing JS in the HTML from executing?
That's a very good point, we'll check if that's possible, or wer'll try to make it possible otherwise. > Ta! > > //Mike > > _______________________________________________ > webkit-gtk mailing list > [email protected] > https://lists.webkit.org/mailman/listinfo/webkit-gtk -- Carlos Garcia Campos http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
signature.asc
Description: This is a digitally signed message part
_______________________________________________ webkit-gtk mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-gtk
