2016-10-07 5:45 GMT+02:00 Michael Gratton <[email protected]>: > > Hey Adrián, > > Thanks for the suggestions and feedback — I've actually started work on > this and so am now running into these issues. > > On Wed, Aug 3, 2016 at 11:45 PM, Adrián Pérez de Castro <[email protected]> > wrote: > > One of the things that needs to be taken care of is how Geary does > manipulates an HTML email's markup before loading it into a WebView. This > is done for a few reasons: Applying app-specific and user-specific CSS, to > implement collapsible quote sections, for handling loading of inline and > attached images, and to ensure that bulk and junk messages containing > bugged remote images, etc. aren't automatically triggered. > > You may want to consider using WebKitUserContentManager [1]. In short, it > allows you to inject CSS and JavaScript snippets into content loaded in a > WebKitWebView. The injected JavaScript code runs in the WebProcess, in the > same context as the loaded web content, and it can manipulate it in any way > it wants, using the DOM and all the rest of web APIs. Additionally, you can > register a “message handler”, which allows you to send messages from > JavaScript with: > window.webkit.messageHandlers.<handler-name>.postMessage(value) > When that function is called from JavaScript, “value” is serialized and > sent to the UIProcess (your application), and the WebKitUserContentManager > emits the “script-message-received::<handler-name>” signal. If you need > to send messages from the UIProcess to the WebProcess, you can use > webkit_web_view_run_javascript() e.g. to call JavaScript functions which > have been defined in your injected scripts. > > > This mechanism sounds good, and I might be able to get away with using > this rather than implementing a WebExtension, except for one thing: It > quite reasonably seems to require JavaScript is enabled for > webkit_web_view_run_javascript() to work, and currently Geary disables > JavaScript since it's not widely required for HTML email, and since it > reduces the size of the malware attack surface. > > I'm reluctant to re-enable JS because of the secuity angle, but was > wondering if, aside from playing wack-a-mole by removing SCRIPT elements on > HTML mail, if there is some mechanism to allow WebKitUserContentManager > scripts and webkit_web_view_run_javascript() to function, while > preventing JS in the HTML from executing? >
Hi i've been doing similar stuff in node-webkitgtk, using - a webextension to cancel all requests - a user-injected script to observe document mutations and catch insertion of script tags or onload attributes However that last part is surely not 100% guaranteed because it's difficult to track all the ways javascript can execute on a web page. Jérémy
_______________________________________________ webkit-gtk mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-gtk
