Another topic relating to decisions around native messaging:
I think the main points to consider from a security perspective:
- Letting a snap install a native messaging configuration makes sandbox escape trivial. The configuration file contains a command line that the web browser will execute. If that command line is not a snap command wrapper, then it will be executed without confinement.
- Even if they can trivially escape it, strict confinement can be useful for a native messaging service since it will be run in a well known execution environment. The request for
system-filesorpersonal-filesaccess should be treated with similar gravity as a classic confinement request, due to the relative ease of escalating to similar privilege. - Having a snapped web browser talk to a snapped native messaging service is probably not going to be possible as a snapped application can not execute another snapped application directly.