Sandbox all the WebKit!

Description

Improve security of GNOME applications that render web content by doing so in a bubblewrap sandbox.

Goals

Every application using WebKitGTK should opt-in to the web process sandbox by calling webkit_web_context_set_sandbox_enabled(). See this blog post for context.

Scope

Everything that uses WebKitGTK

People on charge & contact

Michael Catanzaro (@mcatanzaro)

Instructions to achieve the goals

https://gitlab.gnome.org/GNOME/Initiatives/-/wikis/Sandbox-all-the-WebKit!

Label for tracking the initiative

Initiative: Sandbox all the WebKit!

Text for the initiative issue in projects

Every application using WebKitGTK should opt-in to the web process sandbox by calling webkit_web_context_set_sandbox_enabled(). See #19 for details.

List of projects & tasks

GNOME

• devhelp
• epiphany
• evolution-data-server
• gnome-boxes
• gnome-builder
• gnome-initial-setup
• gnome-maps
• gnome-online-accounts
• sushi
• yelp

World

• bijiben
• evolution, reverted awaiting printing
• geary (waiting for printing)
• glade
• gnome-documents (archived)
• libgepub

How can I help

Submit merge requests. It's easy!

If you see any GNOME software included in gnome-build-meta that uses WebKit but is not listed here, it is missing a dependency in gnome-build-meta. Please report it.

added 9. Initiative: Sandbox all the WebKit! label

changed the description

changed the description

added Deliverable label

mentioned in issue shotwell#260 (closed)

changed the description

mentioned in commit diegoe/gnome-builder@49888e2a

mentioned in commit diegoe/gnome-builder@f0899f64

mentioned in merge request gnome-builder!279 (merged)

mentioned in commit gnome-boxes@5848068a

mentioned in merge request gnome-boxes!333 (merged)

mentioned in commit gnome-boxes@a0f6eb48

marked the checklist item gnome-boxes as completed

GNOME namespace labels are all prefixed with a number depending on which “category” they belong to. Initiatives are prefixed 9. Can you please rename the label for this initiative to fit in that scheme?

Fixed!

mentioned in commit diegoe/gnome-builder@8f7f77b0

Fixed for Shotwell (not in gnome-build-meta) : shotwell@4906cf46

mentioned in commit diegoe/gnome-notes@0aa8125e

mentioned in merge request gnome-notes!66 (merged)

mentioned in commit gnome-notes@bd39cd0d

mentioned in commit diegoe/gnome-notes@c3dea7fb

marked the checklist item gnome-online-accounts as completed

mentioned in commit sushi@f3a61e49

mentioned in merge request sushi!14 (merged)

mentioned in commit sushi@9ad31f72

marked the checklist item evolution as incomplete

Michael Catanzaro marked the task evolution as incomplete 3 months ago

I suppose it's due to evolution@9d82745d , thus due to https://bugs.webkit.org/show_bug.cgi?id=202363, right?

Yes... but why are you using an environment variable? Just do not call webkit_web_context_set_sandbox_enabled() if you want to avoid the sandbox?

This way people can still override the behavior, if they want to. It's also easier to fix/remove it on one place, than on two.

mentioned in commit sushi@0039c192

mentioned in merge request sushi!28 (merged)

changed the description

mentioned in commit sushi@06785e4c

mentioned in commit sushi@3fcb670f

marked the checklist item sushi as completed

changed the description

marked the checklist item gnome-builder as completed

changed the description

changed the description

Looks like Yelp unfortunately remains unsandboxed.