Re: xdg-app and a11y (was Re: Our sandboxed apps won't really protect users)

I chatted with Alejandro Piñeiro about this today. The at-spi2 socket is a total sandbox escape: it can be used to inspect the accessibility tree of arbitrary applications, send them keyboard input, etc. We can't allow access to it. Also we can't block it, since that breaks a11y. A design change will be required. It should be considered in tandem with the problem of supporting a11y under Wayland, since the design problem there is similar. The basic issue is that Wayland clients have no access to other Wayland clients (except through clipboard and drag-and -drop selections), which is a security feature of the Wayland protocol, but one that breaks much of a11y, gnome-screenshot, etc. a11y needs a way to give privileged applications such access, while limiting the access of unprivileged applications.