Plans for portals that integrate widgets inside the app window?
Bastien Nocera
hadess at hadess.net
Thu Jun 23 23:22:18 UTC 2016
On Thu, 2016-06-23 at 22:26 +0200, Alexander Larsson wrote:
> On tor, 2016-06-23 at 20:18 +0200, Bastien Nocera wrote:
> >
> > This is actually also a problem with GTK+-built portals right now,
> > and
> > I've mentioned to Matthias and Alex that the compositor should try
> > to
> > differentiate this type of system popup implemented in GTK+
> > compared
> > to
> > the same version of "in the sandbox" popup.
>
> I'm not sure what the attack would be if you're opening up an in-
> sandbox file chooser that "looks like" the portal one? It could never
> gain access to anything anyway, even if you interact with it. (And it
> would be obvious, since it didn't actually show the files from the
> host.)
Populate the left-hand bar with stock folders even if it's not there,
select the "Network" item by default, and show the user's visible
shares in the local network. If you're lucky and steal credentials for
a NAS, maybe that NAS is also available from the outside.
A bit of a stretch, but not that different from all the Web popups that
look exactly like the OS you're running asking if you want to update
Flash.
Note that this could be more problematic when we hook authorisations to
access online accounts. We wouldn't popup a windows in the app saying
that the credentials expired, but if the app showed a phished page
asking for a Twitter account, would the user be able to tell the
difference?
Which is why we need to have those dialogues, asking for questions out
of the sandbox, look like system dialogues.
The fact that we need to use GTK+ widgets to implement those (which I
can completely understand) makes the phishing/spoofing easier. I'm not
sure what the differentiation will be, but we'll need to come up with a
design solution to this problem.
Cheers
More information about the xdg-app
mailing list