Delta Chat is a fairly simple idea: a core written in Rust that contains all the important logic and different UIs for each OS. The problem is that webxdc apps expose a limited webview to other contacts. This means Delta Chat goes from having a minimal attack surface to a potentially larger one. Different OSes, with different webviews and versions that aren’t always updatable.
I’ve seen that you’re planning to add an option to limit calls to certain users. Why not add an option to disable webxdc apps for specific accounts or contacts? This would make Delta Chat a more secure messenger without any extra effort. Not all contacts are 100% trustworthy. Many users are using Delta Chat as a public contact not just for “family and friends.”
I know that apps don’t run on their own and the user has to execute them but a user could accidentally click and activate one or might be tricked into running a modified version. Now that it’s not possible to disable broadcast channels, they could be even more dangerous.
I wasn’t talking about banning contacts or users from groups. I was suggesting an option to ignore/hide that kind of content in the official clients. This way you could send an app but users with this option enabled couldn’t use it.
I wasn’t talking about blocking either — it was about detailed moderation. You’re overcomplicating things too much; it’s just an email client. It’s too early to talk about this, and in practice we’re very unlikely to encounter it in real life — only in theory.
Delta Chat has never been just an email client. My suggestion was simply to add an option to filter a certain type of content at the core, that’s all. We both have different perspectives on what real life is like (no offense). Anyway, my message was intended for the developers and to avoid adding a feature request to the core issues.
If we reason from the standpoint of real security, opening untrusted files (PDF, PNG, HTML, etc.) within a highly restricted sandbox environment like WebXDC is often safer than passing them to external system applications for opening.
It would be pretty simple to disable apps globally for an account. An option in “Chat and Media” to hide the apps would be enough. In the core, you just need a filter for “type: webxdc” or “Mimetype: application/webxdc+zip”. That would work for users with public accounts and let them keep webxdc enabled for other accounts.
To manage it by contact, I think we should wait and see the UI for calls first. A setting per account is simple but the UI gets complicated when you do something by contact.
. Seriously, I would have never even thought about that.