Open Frando opened 1 year ago
I like this idea, further restricting the available channels seems very reasonable. However, I don't think we can disable the default protocols. At least on macOS WKWebView ships a set of default protocols that you simply cannot override. It will actually trigger an objc exception if you try to override it, causing a rust panic. I'm not aware of alternative constructors for the webview that create a "no defaults" Webview. But if there are this feature request would be very good to have!
Update: So WKWebView doesn't let you omit default protocols. But you can add custom content rules theoretically. Then you would just a catch-all rule that blocks all requests.
Relevant resources:
https://developer.apple.com/documentation/webkit/wkusercontentcontroller/2902756-add
https://developer.apple.com/documentation/safariservices/creating_a_content_blocker
What i had in mind when we talked about it on Discord was webkitgtk's PolicyDecision stuff
Describe the problem
I want to create Tauri windows (WebViews) that run user supplied code ("apps"). I enabled a custom protocol handler (via
register_uri_scheme_protocol
). However, currently the WebViews can still access the other by-default enabled protocols (e..g.http
,https
, andtauri
) and, for example, change the window location or issue fetch requests.Describe the solution you'd like
I'd like these WebViews to be completely sandboxed and disallow all communication but the custom protocol handler that I registered. Ideally, I want to allow-list protocols for the WebView and disallow everything that is not in the allowlist, for all means of communication (
window.location
,fetch
,XmlHttpRequest
,<script scr="...">
etc).Ideally, I want a WebView that defaults to no protocols, then specifically allow protocols, and additionally have a simple hook (in rust) that is run for all network/protocol requests that can abort or disallow the request.
Alternatives considered
There are a few ways to reduce communication surface for a WebView currently:
CSP
policy. This already, I think, allows to disallow most communication for a WebView.isolation
feature provides a way to intercept and disallow IPC communication for WebViewsWebViewBuilder
inwry
has awith_navigation_handler
that, I think, would allow to disallow navigating away from the allowed protocol, however I don't think this is currently exposed in tauri?It might be possible to completely sandbox a WebView this way. If that is a case, a documentation guide for a completely sandboxed and secured WebView would be useful. However, it feels a bit hacky to get a sandboxed webview by tying together multiple hooks to disallow things. I'd prefer to enable a "sandbox" mode or something once that would disallow all network communication by default, and then selectively enable things. This would, I think, be the better security primitive to run user-supplied code without having to fear information extraction attacks.
Additional context
No response