Am 02.08.23 19:48 schrieb(en) Michael Catanzaro:
On Wed, Aug 2 2023 at 04:47:47 PM +0000, Albrecht Dreß <albrecht.dr...@posteo.de> wrote:I use WebKitGtk in a MUA, which for privacy reasons shall block all external network accesses unless the user explicitly allows them. Using a web extension, I could redirect these accesses to “about:blank”. However, I /still/ see webkit opening tcp connections to the remote sites, which IMHO shouldn't happen, as it already leaks information to a potential attacker.You should be able to use the WebKitWebPage::send-request signal to block all network requests.
Please excuse my imprecise description – I *do* actually catch this signal in
my extension. The handler is connected in the WebExtension::page-created
callback via
g_signal_connect(web_page, "send-request", G_CALLBACK(send_request_cb),
NULL);
and the latter callback changes the request URI to
webkit_uri_request_set_uri(request, "about:blank");
unless the uri is already “about:blank” or starts with “cid:” or “data:”. A
debug message indicates that the signal is caught, and tcpdump doesn't show the
http request, so I /think/ this part works as expected.
To me, this behavior looks as if the WebKitWebPage::send-request signal is
fired only /after/ the connect() to the target host, but before the send(),
which would perfectly explain my observations.
If that doesn't work, it's probably a bug.
I see… so I should create a bug report in bugzilla? Thanks, Albrecht.
pgpHvXjKNkdRQ.pgp
Description: PGP signature
_______________________________________________ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
