>From 1ca9d47923813e536753c18aa15194f15f39ab3d Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 27 Aug 2020 06:00:52 -0700
Subject: [PATCH] Use WebKit sandboxing

* src/xwidget.c (Fmake_xwidget): Enable sandboxing if WebKit 2.26
or later.  Do this early, as required for sandboxing.
Co-authored-by: Qiantan Hong <qhong@mit.edu>
Copyright-paperwork-exempt: yes
---
 src/xwidget.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/xwidget.c b/src/xwidget.c
index 154b3e9c82..851f96952c 100644
--- a/src/xwidget.c
+++ b/src/xwidget.c
@@ -114,6 +114,13 @@ DEFUN ("make-xwidget",
   if (EQ (xw->type, Qwebkit))
     {
       block_input ();
+      WebKitWebContext *webkit_context = webkit_web_context_get_default ();
+
+# if WEBKIT_CHECK_VERSION (2, 26, 0)
+      if (!webkit_web_context_get_sandbox_enabled (webkit_context))
+	webkit_web_context_set_sandbox_enabled (webkit_context, TRUE);
+# endif
+
       xw->widgetwindow_osr = gtk_offscreen_window_new ();
       gtk_window_resize (GTK_WINDOW (xw->widgetwindow_osr), xw->width,
                          xw->height);
@@ -152,7 +159,7 @@ DEFUN ("make-xwidget",
                             "load-changed",
                             G_CALLBACK (webkit_view_load_changed_cb), xw);
 
-          g_signal_connect (G_OBJECT (webkit_web_context_get_default ()),
+          g_signal_connect (G_OBJECT (webkit_context),
                             "download-started",
                             G_CALLBACK (webkit_download_cb), xw);
 
-- 
2.25.4