>>>> Another minor comment: it seems like this new API returns raw data. It >>>> seems like the native way to use this would result in running untrusted >>>> data from the network through image decoders outside the Web Process >>>> sandbox. Do we have a way to avoid that? >>> >>> This came up while implementing it for Safari, too. In practice we didn't >>> decode icons out-of-process before so this model was not a regression. I >>> see value in offering this, but it's also something conscientious clients >>> can do on their own with the raw data. >> >> Didn’t we need to create the Safari ImageDecoder service to work around the >> problem of decoding untrusted icon images? > > That’s not going to be available to other participants in the WebKit Open > Source projects.
Sorry — I don't mean to suggest that other projects should adopt Safari's ImageDecoder service. I just want to clarify that Maciej’s concern is more than theoretical. I would add that I don’t like the idea that it’s the client’s job to be “conscientious” in order to achieve safe rendering of web content. The point of Modern WebKit as a framework is that all clients should get safe rendering by default. Therefore, I think it’s a flaw that the current API vends only raw encoded data. Geoff _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
