From 71661b287297f328c2c5ad67e180a760f80850cb Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 24 Oct 2020 15:34:12 -0700
Subject: [PATCH] Use WebKit sandboxing

* src/xwidget.c (Fmake_xwidget): Enable sandboxing if WebKit 2.26
or later.  Do this early, as required for sandboxing (Bug#43071).
Co-authored-by: Qiantan Hong <qhong@mit.edu>
Copyright-paperwork-exempt: yes
---
 src/xwidget.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/xwidget.c b/src/xwidget.c
index ea8987f5b3b..fb906d181ac 100644
--- a/src/xwidget.c
+++ b/src/xwidget.c
@@ -101,6 +101,13 @@ Returns the newly constructed xwidget, or nil if construction fails.  */)
   if (EQ (xw->type, Qwebkit))
     {
       block_input ();
+      WebKitWebContext *webkit_context = webkit_web_context_get_default ();
+
+# if WEBKIT_CHECK_VERSION (2, 26, 0)
+      if (!webkit_web_context_get_sandbox_enabled (webkit_context))
+	webkit_web_context_set_sandbox_enabled (webkit_context, TRUE);
+# endif
+
       xw->widgetwindow_osr = gtk_offscreen_window_new ();
       gtk_window_resize (GTK_WINDOW (xw->widgetwindow_osr), xw->width,
                          xw->height);
@@ -139,7 +146,7 @@ Returns the newly constructed xwidget, or nil if construction fails.  */)
                             "load-changed",
                             G_CALLBACK (webkit_view_load_changed_cb), xw);
 
-          g_signal_connect (G_OBJECT (webkit_web_context_get_default ()),
+          g_signal_connect (G_OBJECT (webkit_context),
                             "download-started",
                             G_CALLBACK (webkit_download_cb), xw);
 
-- 
2.39.2