-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RSS-plugin: Provide a less restricted view #2462
Comments
We can use GD to remove exif data from images before displaying them. However, we would need to create a new plugin and consider temporarily caching images processed. https://www.php.net/manual/en/book.image.php Links should only be trusted (by default) if they belong to the domain of the RSS feed. We can distribute a whitelist file with preset values such as https://www.imdb.com/ so users can read movie reviews. noreferrer should be added to links for privacy. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Is your feature request related to a problem?
A less restricted view was first requested in #2426.
However, stickz worries that users may fall victim to phishing attacks if we show
<a>
links as in #2429.Additionally, there is also a privacy threat when trying to show
<img>
resources from an unknown source in the browser.Describe the solution you'd like
In my opinion, providing an option to show
<a>
links is reasonable since the user can hover the link to see where it leads.On the other hand,
<img>
should not be fetched unless the request is proxied.Suggestions by stickz:
Further security/privacy feature ideas by me:
public
,private
) for individual RSS feeds, instead ofSecure
andInsecure
action.php?fetchurl=...
guid
(opened with dblclick) or the torrenturl
matches the RSS feed domainAdditional context
Novik suggested to add
noreferrer
to links #2426 (comment)The text was updated successfully, but these errors were encountered: