Chromium Embedded Framework Forum

[harsh]

We have integrated CEF with our application and it meets all the necessary conditions required to enable sandbox. We have certain questions/doubts regarding sandbox:
1. What features does the CEF's sandbox provides?
2. Is it a modification of chromium sandbox or is it independent?
3. Is it recommended to use the provided sandbox or develop our own sandbox as we will be doing it for our own application?
4. Is it possible to modify the policies and restrictions of the broker process or we have to use it as is?
5. Is there any documentation of CEF sandbox? The following link seems to be old: http://www.chromium.org/developers/desi ... ts/sandbox

Thanks!

[magreenblatt]

CEF uses the Chromium sandbox. See https://chromium.googlesource.com/chrom ... box_faq.md

[harsh]

So, calling the cef_sandbox_info_create() function and passing the resulting pointer into both the CefExecutProcess() and CefInitialize() functions is sufficient to enable sandbox?
Also can we modify the broker process policies or regulate the urls that CEF browser opens?

[magreenblatt]

What OS? Policies are generally set in Chromium code and cannot be modified without building CEF/Chromium from source code.

[harsh]

Windows

[magreenblatt]

The requirements for Windows are documented in cef_sandbox_win.h

[harsh]

Thanks, I am able to understand the process better now. But to just reconfirm, calling the cef_sandbox_info_create() function and passing the resulting pointer into both the CefExecutProcess() and CefInitialize() functions will enable sandbox. Right? We don't need to write any wrapper/override function.

Edit: We are using CEF to just display a popup notification. A webpage loads up with few buttons and clicking any of them, the popup closes and the required website loads in the web browser.

[harsh]

I have followed the steps and implemented them. I can verify from task manager that earlier all the child processes were running in elevated mode but after sandbox, one is running in elevated mode while rest are running in non elevated mode. Is there some other way to correctly verify that cef has been sandboxed successfully? I tried read and write to file inside OnBeforeBrowse function hoping that it would give an error but nothing of that sort happened. It was able to write and read from the file.

Thanks!

[magreenblatt]

OnBeforeBrowse is called in the main process which is not sandboxed.

[harsh]

Oh ok thanks. Can you suggest where can I try for my POC?