On Wed, Jul 20, 2022 at 11:04 AM Vitaly Zaitsev via devel devel@lists.fedoraproject.org wrote:
On 20/07/2022 08:55, Demi Marie Obenour wrote:
I also wonder if some features of QtWebEngine, such as the V8 JIT compiler or even scripting as a whole, ought to be proactively disabled.
QtWebEngine is an extremely vulnerable thing due to a major lag after WebKit/Blink security patches. I even decided to build Psi+ client without WebEngine support.
But QtWebEngine is also used by GNOME/KDE web browsers (Epiphany, Falcon). Their users won't be happy after disabling JS engine.
Just to clarify, epiphany and other GTK- and WebKit-based browsers don't use QtWebEngine, but WebKitGTK. As far as I know, it doesn't suffer from the same support / late security fixes problem as QtWebEngine, because it's an official WebKit project, and released in parallel with new versions of WebKit. I just noticed that epiphany snapshot builds are even prominently featured in the webkit.org download section :)
Fabio