Hi all, I’ve recently added a mechanism to filter IPC messages based on which features are enabled at runtime.
By adding `[EnabledBy=X]` either to a whole message receiver or on an individual IPC message, we can enable IPC messages only when feature X is enabled at runtime. Note that to use this feature, a new entry `sharedPreferenceForWebProcess: true` needs to be added to UnifiedWebPreferences.yaml. Why do we want to do that you may ask? It’s to protect UI, Network, and GPU processes from a compromised WebContent process. By restricting IPC messages/receivers at runtime, we dramatically reduce the attack surface available to the malicious code in WebContent process. So if you’re adding a new IPC message receiver or a new IPC message, please runtime guard each IPC receiver / message with `[EnabledBy=X]` when possible. - R. Niwa
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
