Hi Nicholas! On Sun, Nov 12, 2023 at 03:36:20PM -0500, Nicholas D Steeves wrote: > > Unlike Qt WebKit which is based on Apple WebKit, Qt WebEngine is based on > > Chromium codebase. > > > > Qt WebEngine user agents will look the following: > > > > Qt 5.15: > > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.15 Chrome/87.0.4280.144 Safari/537.36 > > So if we backport signon-ui's future Webkit -> WebEngine fix to > bookworm, Google might still blacklist bookworm kaccounts users for > having a user agent string that advertises an ancient browser? Yes, but I don't know Google's exact policy on this. But Chrome 87 is from 2020, which is much better than WebKit from 2016. > Chrome/87.0.4280.144 is pretty old. That said, I assume there are > security reasons why we should use WebEngine and not Webkit in bookworm? Yes. Qt WebKit has no security support at all, so many vulnerabilities discovered in WebKit since 2016 are likely present there. Qt WebEngine, on the contrary, backports security fixes from Chromium: https://sources.debian.org/src/qtwebengine-opensource-src/5.15.15%2Bdfsg-2/CHROMIUM_VERSION/ Unfortunately we do not have enough manpower to backport all these fixes to Debian stable releases, but Debian unstable has the latest Qt WebEngine most of the time (I'm speaking for 5.15 branch mostly, which I'm the maintainer of). That said, if signon-ui only loads one hardcoded website, and not random content, I don't think you need to worry much about security. -- Dmitry Shachnev
Attachment:
signature.asc
Description: PGP signature