[feat] Allow to completely sandbox WebViews from network access

Frando commented 1 year ago

Describe the problem

I want to create Tauri windows (WebViews) that run user supplied code ("apps"). I enabled a custom protocol handler (via register_uri_scheme_protocol). However, currently the WebViews can still access the other by-default enabled protocols (e..g. http, https, and tauri) and, for example, change the window location or issue fetch requests.

Describe the solution you'd like

I'd like these WebViews to be completely sandboxed and disallow all communication but the custom protocol handler that I registered. Ideally, I want to allow-list protocols for the WebView and disallow everything that is not in the allowlist, for all means of communication (window.location, fetch, XmlHttpRequest, <script scr="..."> etc).

Ideally, I want a WebView that defaults to no protocols, then specifically allow protocols, and additionally have a simple hook (in rust) that is run for all network/protocol requests that can abort or disallow the request.

Alternatives considered

There are a few ways to reduce communication surface for a WebView currently:

Setting a strict CSP policy. This already, I think, allows to disallow most communication for a WebView.
The isolation feature provides a way to intercept and disallow IPC communication for WebViews
The WebViewBuilder in wry has a with_navigation_handler that, I think, would allow to disallow navigating away from the allowed protocol, however I don't think this is currently exposed in tauri?

It might be possible to completely sandbox a WebView this way. If that is a case, a documentation guide for a completely sandboxed and secured WebView would be useful. However, it feels a bit hacky to get a sandboxed webview by tying together multiple hooks to disallow things. I'd prefer to enable a "sandbox" mode or something once that would disallow all network communication by default, and then selectively enable things. This would, I think, be the better security primitive to run user-supplied code without having to fear information extraction attacks.

Additional context

No response

JonasKruckenberg commented 1 year ago

I like this idea, further restricting the available channels seems very reasonable. However, I don't think we can disable the default protocols. At least on macOS WKWebView ships a set of default protocols that you simply cannot override. It will actually trigger an objc exception if you try to override it, causing a rust panic. I'm not aware of alternative constructors for the webview that create a "no defaults" Webview. But if there are this feature request would be very good to have!

JonasKruckenberg commented 1 year ago

Update: So WKWebView doesn't let you omit default protocols. But you can add custom content rules theoretically. Then you would just a catch-all rule that blocks all requests.

Relevant resources:

https://developer.apple.com/documentation/webkit/wkusercontentcontroller/2902756-add

https://developer.apple.com/documentation/safariservices/creating_a_content_blocker

FabianLars commented 1 year ago

What i had in mind when we talked about it on Discord was webkitgtk's PolicyDecision stuff

tauri-apps / tauri