URL identification for playback needs to occur in isolation
The URL identification code is accessing untrusted input and running it through programs I don't understand. During fetch, this code is isolated from the GUI (but not the database). During playback, this code runs in the GUI.
The URL identification code:
- must not have any access to the database
- must not have any access to the GUI
Move this code into its own process and look for ways to deny it access to the database, window system, etc.