qt6: Add macOS sandboxing warning

See #7278
qutebrowser · Jun 22, 2022 · 6227df6 · 6227df6
1 parent cd6e640
commit 6227df6
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/qutebrowser/app.py b/qutebrowser/app.py
@@ -46,6 +46,7 @@
 import argparse
 from typing import Iterable, Optional
 
+from qutebrowser.qt import machinery
 from qutebrowser.qt.widgets import QApplication, QWidget
 from qutebrowser.qt.gui import QDesktopServices, QPixmap, QIcon
 from qutebrowser.qt.core import pyqtSlot, QUrl, QObject, QEvent, pyqtSignal, Qt
@@ -354,6 +355,15 @@ def _open_special_pages(args):
         ('session-warning-shown',
          True,
          'qute://warning/sessions'),
+
+        ('sandboxing-warning-shown',
+         (
+             hasattr(sys, "frozen") and
+             utils.is_mac and
+             machinery.IS_QT6 and
+             os.environ.get("QTWEBENGINE_DISABLE_SANDBOX") == "1"
+         ),
+         'qute://warning/sandboxing'),
     ]
 
     if 'quickstart-done' not in general_sect:

diff --git a/qutebrowser/browser/qutescheme.py b/qutebrowser/browser/qutescheme.py
@@ -583,6 +583,9 @@ def qute_warning(url: QUrl) -> _HandlerRet:
                            title='Qt 5.15 sessions warning',
                            datadir=standarddir.data(),
                            sep=os.sep)
+    elif path == '/sandboxing':
+        src = jinja.render('warning-sandboxing.html',
+                           title='Qt 6 macOS sandboxing warning')
     else:
         raise NotFoundError("Invalid warning page {}".format(path))
     return 'text/html', src

diff --git a/qutebrowser/html/warning-sandboxing.html b/qutebrowser/html/warning-sandboxing.html
@@ -0,0 +1,16 @@
+{% extends "styled.html" %}
+
+{% block content %}
+<h1>{{ title }}</h1>
+<span class="note">Note this warning will only appear once. Use <span class="mono">:open
+qute://warning/sandboxing</span> to show it again at a later time.</span>
+
+<p>
+    Due to a <a href="https://github.com/pyinstaller/pyinstaller/pull/6903">PyInstaller issue</a>,
+    Chromium's <a href="https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox_faq.md">sandboxing</a>
+    is currently disabled for macOS builds with Qt 6. This means that there will be no additional layer of protection
+    in case of Chromium security bugs. Thus, it's advised to
+    <b>not use this build in production</b>. Hopefully, this situation will be
+    resolved before the final 3.0.0 release.
+</p>
+{% endblock %}