[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#30329] [PATCH] gnu: emacs: Build with xwidgets support.
|
From: |
Alex Vong |
|
Subject: |
[bug#30329] [PATCH] gnu: emacs: Build with xwidgets support. |
|
Date: |
Thu, 08 Feb 2018 09:04:35 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> Hello,
>
> Leo Famulari <address@hidden> skribis:
>
>> On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
>>> Hi,
>>>
>>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>>> widgets. In particular, it can display webpages using webkitgtk.
>>>
>>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>>> build.
>>
>> Webkitgtk is very actively researched and exploited for security
>> problems. If this use of webkitgtk-2.4 would ever handle untrusted
>> input, it's not very safe. I don't use Emacs so I'm not sure what the
>> use case is for webkitgtk.
>>
>> For examples, you can check the security advisories published by the
>> Webkitgtk team:
>>
>> https://webkitgtk.org/news.html
>>
>> They publish an advisory after every release, and there are always
>> several fixed bugs allowing code execution by whoever supplies the input
>> (typically from a remote web server).
>
> That’s indeed a bit of a problem. Would be nice if it could use the
> latest webkitgtk series.
>
> Given that and the increase in closure size, I would prefer making it a
> separate “emacs-xwidgets” package.
>
> WDYT?
>
I agree with what Leo thought. Since it is up to emacs package authors
to make sure untrusted input are never sent to webkitgtk, and it is hard
to garantee that every package does the right thing.
So I will send another patch after emacs switch to libwebkitgtk-4.0 (in
a separate package).
> Thanks,
> Ludo’.