[GTK][WPE][a11y] Allow receiving event listener signals from the a11y bus #29052
Conversation
|
EWS run on current version of this PR (hash bade5fa) |
|
I'm confident that neither one of these signals constitute nor can be used for a sandbox escape nor information leak: The bus name in the first argument cannot be talked to from sandboxed apps, unless they have full access to the a11y socket (in which case, they don't need to use this signal to cause any harm). The event listener string is harmless, and so is the params array. |
|
Marking as a draft because, contrary to my assumption, xdg-dbus-proxy demands a TALK permission to |
|
This PR will work after flatpak/xdg-dbus-proxy#61 is merged. Technically, flatpak/flatpak#5828 would also make the flatpak-spawn variant work, but there are other bugs in Flatpak that prevent a11y from working. We'll probably need to coordinate with downstreams, and potentially even backport the Flatpak PR to a stable release. As for this PR, it is safe to land it as is. It won't work until flatpak/xdg-dbus-proxy#61 lands, but nothing will break or behave differently until then. |
|
Both flatpak/xdg-dbus-proxy#61 and flatpak/flatpak#5828 were merged. |
GeorgesStavracas
added
the
merge-queue
β¦ bus https://bugs.webkit.org/show_bug.cgi?id=240522 Reviewed by Michael Catanzaro. When a process - usually an AT - registers event listeners, AT-SPI broadcasts the EventListenerRegistered signal so that clients know about it. The EventListenerDeregistered signal is broadcasted when event listeners are removed. The web process monitors for these signal so that it can reduce the number of signal emissions on the a11y bus. Now consider that the web process runs in a sandbox (most of the time anyway), either by using Bubblewrap directly, or flatpak-spawn. These sandboxing mechanisms filter D-Bus messages and signals, including on the a11y bus. And here's the problem: both of them end up preventing the web process to receive the event listener signals! As a consequence, the web process never learns when the user turns on or off the screen reader, or auxiliary accessibility programs. And without that knowledge, the web process doesn't emit any event necessary for proper accessibility. Allow the Bubblewrap sandbox to receive the EventListenerRegistered and EventListenerDeregistered signals from org.a11y.atspi.Registry. This is safe, as there is insufficient information in these signals for any malicious usage, and the bus name in the messages are already from apps that purposefully advertise themselves. A similar patch is proposed for Flatpak, and there's nothing to be done from WebKit side to influence that. * Source/WebKit/UIProcess/Launcher/glib/XDGDBusProxy.cpp: (WebKit::XDGDBusProxy::accessibilityProxy): Canonical link: https://commits.webkit.org/280770@main
webkit-commit-queue
force-pushed
the
eng/GTK-AX-Accessibility-events-missing-for-browser-tabs-contents-when-nothing-is-listening-when-page-loads
branch
from
bade5fa
to
e949df8
Compare
|
Committed 280770@main (e949df8): https://commits.webkit.org/280770@main Reviewed commits have been landed. Closing PR #29052 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
GeorgesStavracas
deleted the
eng/GTK-AX-Accessibility-events-missing-for-browser-tabs-contents-when-nothing-is-listening-when-page-loads
branch
mcatanzaro
added
the
GLib Suggested Backport
e949df8
bade5fa