On Tue, Sep 15, 2015 at 6:17 PM, Michael Catanzaro <mcatanzaro(a)gnome.org> wrote:
I chatted with Alejandro Piñeiro about this today. The at-spi2
socket
is a total sandbox escape: it can be used to inspect the accessibility
tree of arbitrary applications, send them keyboard input, etc. We can't
allow access to it. Also we can't block it, since that breaks a11y. A
design change will be required. It should be considered in tandem with
the problem of supporting a11y under Wayland, since the design problem
there is similar. The basic issue is that Wayland clients have no
access to other Wayland clients (except through clipboard and drag-and
-drop selections), which is a security feature of the Wayland protocol,
but one that breaks much of a11y, gnome-screenshot, etc. a11y needs a
way to give privileged applications such access, while limiting the
access of unprivileged applications.
Just as a data point, recent OS X versions have a per-application
white list of apps which have access to the a11y APIs while older
versions (<= 10.8) had a global switch, see
http://mizage.com/help/accessibility.html
Rui