RESOLVED FIXED 189967
[WPE][GTK] Remove network access from WebProcess in sandbox 
https://bugs.webkit.org/show_bug.cgi?id=189967
Summary [WPE][GTK] Remove network access from WebProcess in sandbox
Patrick Griffis
Reported 2018-09-25 11:54:33 PDT
Currently the WebProcess requires network access because GStreamer requires it for HLS (HTTP Live Streaming) possibly among other features. This is a hole that shouldn't exist since that is the purpose of a separate NetworkProcess. We need to figure out some way to proxy data through that to GStreamer.
Attachments
WiP patch (10.03 KB, patch)
2019-03-05 05:29 PST, Philippe Normand 		no flags
DetailsFormatted DiffDiff
Patch (2.99 KB, patch)
2019-03-25 12:45 PDT, Patrick Griffis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2018-09-26 08:01:07 PDT
Our internal httpsrc element was used in the past for HLS/etc fragments downloading, when the URI scheme it exposes was http(s), without the webkit+ prefix. This had bad side effects for multimedia applications depending on WebKit... Ideally I think the gst adaptivedemux and its uridownloader element should try to reuse the src element initially used for the manifest download.
Philippe Normand
Comment 2 2018-09-26 08:02:30 PDT
(In reply to Philippe Normand from comment #1) > Ideally I think the gst adaptivedemux and its uridownloader element should > try to reuse the src element initially used for the manifest download. I hit "save changes" too early. :) What I meant was the uridownloader should instantiate the same element type that was used for the manifest download, if possible.
Philippe Normand
Comment 3 2019-03-05 05:29:53 PST
Created attachment 363638 [details] WiP patch With this webkitwebsrc is used to download HLS/etc fragments and it works if the webprocess has no network access as well. The patch breaks 2 HLS cookie checking layout tests though, so needs some more investigation.
Philippe Normand
Comment 4 2019-03-12 11:08:21 PDT
*** Bug 181377 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 5 2019-03-18 07:18:46 PDT
(In reply to Patrick Griffis from comment #0) > Currently the WebProcess requires network access because GStreamer requires > it for HLS (HTTP Live Streaming) > possibly among other features. > > This is a hole that shouldn't exist since that is the purpose of a separate > NetworkProcess. We need > to figure out some way to proxy data through that to GStreamer. Should be possible to try this now that Phil has handled HLS.
Philippe Normand
Comment 6 2019-03-18 07:23:32 PDT
HLS is not handled yet, the WiP patch attached here needs to be finished.
Philippe Normand
Comment 7 2019-03-18 10:29:41 PDT
*** Bug 169964 has been marked as a duplicate of this bug. ***
Philippe Normand
Comment 8 2019-03-19 08:59:59 PDT
Comment on attachment 363638 [details] WiP patch See bug #195948 ... I'll leave this one open for the BubbleWrap changes, not specific to GStreamer.
Philippe Normand
Comment 9 2019-03-20 07:19:38 PDT
(In reply to Michael Catanzaro from comment #5) > (In reply to Patrick Griffis from comment #0) > > Currently the WebProcess requires network access because GStreamer requires > > it for HLS (HTTP Live Streaming) > > possibly among other features. > > > > This is a hole that shouldn't exist since that is the purpose of a separate > > NetworkProcess. We need > > to figure out some way to proxy data through that to GStreamer. > > Should be possible to try this now that Phil has handled HLS. Now it is handled, there's no remaining blocker for this issue. Feel free to close the network hole from the WebProcess \o/
Patrick Griffis
Comment 10 2019-03-25 12:45:47 PDT
Created attachment 365882 [details] Patch
WebKit Commit Bot
Comment 11 2019-03-25 13:38:22 PDT
Comment on attachment 365882 [details] Patch Clearing flags on attachment: 365882 Committed r243449: <https://trac.webkit.org/changeset/243449>
WebKit Commit Bot
Comment 12 2019-03-25 13:38:24 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.