Code Review: WebKit2GTK security hardening

[bad-antics]

Security Code Review

Review WebKit2GTK settings for security hardening:

Areas to audit:

1. JavaScript execution policies
2. Cookie handling and storage
3. Mixed content blocking
4. TLS/SSL certificate validation
5. WebRTC leak prevention
6. Canvas fingerprint protection

Security checklist:

• Disable unnecessary web features
• Harden CSP headers
• Sandbox iframe content
• Block third-party cookies by default

/security-review

[github-actions]

📝 Issue Received

Thanks @bad-antics! We'll review this soon.

---

🤖 Marshall Bot

[bad-antics]

🔒 Security Code Review: WebKit2GTK Hardening

✅ Current Security Measures

• Third-party cookie blocking via CookieAcceptPolicy::NoThirdParty
• WebGL disabled when fingerprint protection enabled
• WebAudio disabled for fingerprint protection
• DNS prefetching disabled
• Page cache disabled
• Custom user agent to blend in

⚠️ Missing Security Hardening

1. JavaScript Policy Gaps

// Current: JavaScript always enabled
settings.set_enable_javascript(true);

// Recommendation: Add per-site JavaScript toggle
pub fn set_javascript_policy(&self, uri: &str, allow: bool) {
    self.js_whitelist.insert(uri.to_string(), allow);
}

2. Missing TLS/Certificate Settings

// Add TLS enforcement
use webkit2gtk::TLSErrorsPolicy;

let context = WebContext::default().unwrap();
context.set_tls_errors_policy(TLSErrorsPolicy::Fail);

// Add certificate pinning for critical sites
let cert_db = context.certificate_manager();

3. WebRTC Leak Prevention

// Add to settings
settings.set_enable_media_stream(false);
settings.set_enable_media(false);

// Or restrict WebRTC
settings.set_hardware_acceleration_policy(
    HardwareAccelerationPolicy::Never
);

4. Additional Hardening

// Disable plugins
settings.set_enable_plugins(false);

// Disable Java
settings.set_enable_java(false);

// Disable local storage (optional - breaks some sites)
settings.set_enable_html5_local_storage(false);

// Block mixed content
settings.set_allow_running_insecure_content(false);
settings.set_allow_modal_dialogs(false);

// XSS protection
settings.set_enable_xss_auditor(true);

// Frame flattening to prevent clickjacking
settings.set_enable_frame_flattening(true);

5. Content Security Policy Headers

// Inject CSP header via response filter
let policy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";
// Add to response headers

🏷️ Security Checklist

• Disable unnecessary web features (partial)
• Block mixed content
• Sandbox iframe content
• Block third-party cookies by default
• Add WebRTC leak prevention
• Add TLS error policy (strict)
• Disable plugins/Java
• Add CSP headers injection
• Add certificate pinning for updates

📝 Recommended Config Additions

// config/mod.rs
pub struct SecurityConfig {
    pub strict_tls: bool,
    pub block_webrtc: bool,
    pub block_mixed_content: bool,
    pub disable_plugins: bool,
    pub enable_xss_auditor: bool,
    pub certificate_pins: Vec<CertPin>,
}

Rating: B - Good privacy foundation, needs WebRTC/TLS/plugin hardening for complete security coverage.