Bug 248470

Summary:

[GTK] Should be possible to block resource preload

Product:

WebKit

Reporter:

Milan Crha <mcrha>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

NEW ---

Severity:

Normal

CC:

bugs-noreply, mcatanzaro

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
test message	none

Description Milan Crha 2022-11-29 08:33:26 PST

Created attachment 463787 [details]
test message

The attached file contains a message, which can be imported into the Evolution, or you can simply remove mail headers from the top and use it as a bare HTML page. It corresponds to this page https://www.michaelgeist.ca/2022/11/law-bytes-podcast-episode-148/?utm_source=rss&utm_medium=rss&utm_campaign=law-bytes-podcast-episode-148 

I do not like several things about it:

a) there is a set of warnings on the console:

> CONSOLE OTHER WARN The resource https://www.michaelgeist.ca/wp-content/plugins/social-icons-widget-by-wpzoom/assets/font/socicon.woff?v=4.2.6
> was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it wasn't preloaded for nothing.

   1) how can WebKitGTK preload anything, when the evolution controls what is loaded and what not through WebKitWebPage::send-request? See also bug #248390, but this one is different, from my point of view

   2) what am I supposed to do with this warning, when I've absolutely no control on the HTML content? The page is generated by a 3rd party. Maybe you've enabled these warnings only in some developer mode, then it would be okay.

b) Evolution has set:
		"auto-load-images", TRUE,
		"enable-dns-prefetching", FALSE,
This page contains a lot of tags about prefetching and preloading and what not. I hope all of these are consulted with the WebKitWebPage::send-request, or if there's any other mechanism to make sure the 3rd-party page doesn't touch internet on its own, only through the controlled way by the application, then I'll be happy to be pointed to the right direction. Otherwise my understanding was that the WebKitWebPage::send-request is one way to influence what is downloaded and how. I'm aware of the WebKitWebView::decide-policy, it is used internally, though only for WEBKIT_NAVIGATION_TYPE_LINK_CLICKED:

```

	if (type != WEBKIT_POLICY_DECISION_TYPE_NAVIGATION_ACTION &&
	    type != WEBKIT_POLICY_DECISION_TYPE_NEW_WINDOW_ACTION)
		return FALSE;

	navigation_decision = WEBKIT_NAVIGATION_POLICY_DECISION (decision);
	navigation_action = webkit_navigation_policy_decision_get_navigation_action (navigation_decision);
	navigation_type = webkit_navigation_action_get_navigation_type (navigation_action);

	if (navigation_type != WEBKIT_NAVIGATION_TYPE_LINK_CLICKED)
		return FALSE;
```
This signal doesn't seem to cover "redirect" as the WebKitWebPage::send-request allows.

Comment 1 Milan Crha 2022-11-29 08:35:54 PST

I forgot to add, this is with webkit2gtk4.1-2.38.0-3.fc37.x86_64

Comment 2 Milan Crha 2023-04-26 06:12:55 PDT

Does that with 2.40.0 as well.

Comment 3 Michael Catanzaro 2023-04-26 07:03:12 PDT

Perhaps I'm misunderstanding something, but the problem is a web console warning caused by the web content in the email that you're displaying, yes?

> 2) what am I supposed to do with this warning, when I've absolutely no control on the HTML content? The page is generated by a 3rd party. Maybe you've enabled these warnings only in some developer mode, then it would be okay.

You're not supposed to do anything with this warning. It's a warning for whoever developed the HTML used in that email. Preloading content in emails just doesn't make sense, right? You should not attempt to "fix" web console warnings because those can only be fixed by the web content developers, not by the developers of applications that use WebKit.

Comment 4 Milan Crha 2023-04-26 23:14:22 PDT

(In reply to Michael Catanzaro from comment #3)
> Perhaps I'm misunderstanding something, but the problem is a web console
> warning caused by the web content in the email that you're displaying, yes?

Yes and no. One problem is that I cannot (and shouldn't, as you said) do anything about the warning. If it's only for the page developer, then show it to the page developer, not to everybody else, whom cannot influence it by any means.

The other problem is that it claims the resource *had been preloaded*. I trusted that message, but trying it here, I do not see any sign of the resource download in the access logs of my server, thus maybe the warning lies and nothing was preload at all. Being there anything preloaded, I'd consider it a security problem, because any attacker/spammer could have such preloads in the document to verify the address is functional and anybody reads the message, despite Evolution controlling the internet traffic by the WebKitGTK API.

Interestingly, referencing an https:// address in the "preload" <link>, which uses an invalid certificate, shows an error message in the console about the invalid certificate, thus maybe it tries to download something with http://, but doesn't finish it? I do not know how these things work under the hood.

Comment 5 Michael Catanzaro 2023-04-27 06:48:58 PDT

> The other problem is that it claims the resource *had been preloaded*. I trusted that message, but trying it here, I do not see any sign of the resource download in the access logs of my server, thus maybe the warning lies and nothing was preload at all.

Huh, that sounds like a bug indeed. I would trust your server logs.

> Being there anything preloaded, I'd consider it a security problem, because any attacker/spammer could have such preloads in the document to verify the address is functional and anybody reads the message, despite Evolution controlling the internet traffic by the WebKitGTK API.

I guess we need some way to block preloads. It's expected that web content can preload whatever it wants, and I don't think we have any way to prevent that. But an email client is indeed expected to not allow that.