[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add user content APIs for WebKit Xwidgets
|
From: |
Qiantan Hong |
|
Subject: |
Re: [PATCH] Add user content APIs for WebKit Xwidgets |
|
Date: |
Fri, 28 Aug 2020 15:41:01 +0000 |
>> The script message handler API makes it possible to trigger event in emacs
>> from JavaScript, and can be used to implement procedure calling from
>> js to elisp. Currently only the other way around is possible.
>
> That sounds really scary, though. What are the security implications
> here?
I think it doesn’t increase any security risk, but sure correct me if I’m
wrong.
The way this works is, Elisp side has to use
(xwidget-webkit-register-message xwidget message-name)
to register for an identifier — if nothing is registered, nothing can go to
Elisp.
After an identifier is registered, JavaScript can then use it to post
messages, which becomes an input event on Elisp side. This itself won’t
be able to call any Elisp procedure, but it’s possible to bind the input event
to some Elisp procedure that dispatches on message body and calls other
function to simulate an FFI interface from js to Elisp. In this case,
that Elisp procedure should control which procedures are allowed to call.
> Anyway, this is a larger large patch, so to apply it to Emacs, we'd have
> to have a copyright assignment to the FSF. Would you be willing to sign
> such paperwork?
Sure, I’m sending email.
smime.p7s
Description: S/MIME cryptographic signature