search

liske / htmail-view

single web page renderer based on WebKit2
GNU General Public License v2.0
20 stars 4 forks source link

v0.6 loads images unconditionally #4

Open paravoid opened 5 years ago

paravoid commented 5 years ago

Thanks for porting this to WebKit2 so quickly! I was looking at what would it take last weekend and it did not seem trivial to me at all. It was awesome to see that this is still an active project :)

I just tried 0.6 on my Debian buster system. Unfortunately, it looks like images are loaded as soon as I open an HTML page (and without hitting the button). With -v, I do see those resources emitted as RES-REQ#REJECT, but they still load.

paravoid commented 5 years ago

I've been looking at Balsa's source code, which does similar things.

It looks like with WebKit2 it may be as easy as $settings->set('auto-load-images', $new_value, with no need to fiddle with the request URI and set it to about:blank.

While at it, htmail-view should probably set enable-java and enable-hyperlink-auditing to 0 unconditionally (i.e. to %webkit_settings), and possibly set enable-javascript only when images are explicitly enabled?

liske commented 5 years ago

Disabling auto-load-images still allows loading of other external resources (i.e. CSS stuff). I do not like to change the enable-javascript setting since it should be ok if external resources loading is globally suppressed.

Sadly I did not found find a way to make the resource loading policing work. In WebKit there was the resource-request-starting signal but WebKit2 only has the resource-load-started signal. The latter is called after beginning to download additional resources so policing doesn't work any more this way.

paravoid commented 5 years ago

Ah, that makes sense.

Looking at the docs, it seems like there is such as signal, but only in WebKitWebPage (not WebKitView):

The “send-request” signal

This signal is emitted when request is about to be sent to the server. This signal can be used to modify the WebKitURIRequest that will be sent to the server. You can also cancel the resource load operation by connecting to this signal and returning TRUE.

No idea how you can get the WebKitWebPage object, though. I saw some references with a quick search that referred to needing to write an extension - hopefully there is an easier way than that...

paravoid commented 5 years ago

From what I've read so far It looks like fixing this properly requires writing an WebKit extension in C...

Perhaps until there is a better way, htmail-view should just block images unless/until the button is pressed? That's what Balsa seems to do (I kinda wonder if this a vulnerability in Balsa by leaking external requests for e.g. CSS...)