From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id KJ3TEWeCWWOqMgAAbAwnHQ (envelope-from ) for ; Wed, 26 Oct 2022 20:54:31 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id QF7OEGeCWWNWCQEAG6o9tA (envelope-from ) for ; Wed, 26 Oct 2022 20:54:31 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DEB552A8A2 for ; Wed, 26 Oct 2022 20:54:30 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onlHg-00007t-UI; Wed, 26 Oct 2022 14:37:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onlHe-00006v-UQ for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 14:37:46 -0400 Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onlHc-0003XC-K8 for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 14:37:46 -0400 Received: from localhost ([::ffff:197.239.4.142]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000081D90.0000000063597E73.000024E7; Wed, 26 Oct 2022 11:37:38 -0700 Date: Wed, 26 Oct 2022 21:37:15 +0300 From: Jean Louis To: Max Nikulin Cc: Stefan Kangas , 58774@debbugs.gnu.org, emacs-orgmode@gnu.org Subject: Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Message-ID: Mail-Followup-To: Max Nikulin , Stefan Kangas , 58774@debbugs.gnu.org, emacs-orgmode@gnu.org References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> <87v8o7qzff.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.2.7+37 (a90f69b) (2022-09-02) Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL=0.141, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666810471; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9UqS7FDgPnFVQwAFAvNJYXFbueu7L8mE+ys1kx0DZaQ=; b=Cr6T/EvB78KLyKBhL/La/CUzo3BlnV7w9Qf7WdDLuPFwQk4Qa9NQvQQh6R2R2F/uObe8+y p/YdiObgHchj0WuVSlsn1VWhYGbLafroX7o1JAbAEksPXUmTZ2UyUcTLNUb5LHL+JDG891 +FSLIwokEuz4wr66fPlTt1PPipqNRueYvqjsLkQMl96TovVZHYXTGX0FvIqsOCYAc1CnKV 6Eu3p8tHyRfHlfz84YbHSM9ndN5jnzD5QRk9n9u8OnzxB6yDanLgvhlkmnNK+DqxW3oMmG WcBHIeSv+j7WKTJq3yfTURJ30LR0ziPN7QEvXt3Et33+M59nkyvfziqzx5OiHw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666810471; a=rsa-sha256; cv=none; b=M2MaITYzrhr5WvKLxhC0ImL/5JM6XdZ9EBAijbtdDCuhEmyMCi1dJQm6AVGNgfJyFHa2g5 eaTDHpcxZ9+33Z7Ay8krnwLue/0akJ3ek4l4RcVtBVuUcUSsVR+vl5KXJC8OftUpnfpykM NigBbRpDOFZ3wIZ+RH2T/NnKHJjtWWznE7heA5vMhzCvJ3q+wW8t9T3is95Q6uE5Dafq3l WqxAwJHIdkHSZ/8P+zeRPuSF/YkJdnEH+AOdjOWrCFOGdgX8TCVB0Ky1UvCPvW8WWTAMfG /gFq+Dgo5WC4c4n0t477V1c4vRhar+ue+xAqq5Xh5H/2BWzyFE48gssUDBTLuw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 0.28 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: DEB552A8A2 X-Spam-Score: 0.28 X-Migadu-Scanner: scn0.migadu.com X-TUID: 8sC0wgj301GE * Max Nikulin [2022-10-26 20:10]: > If you were just requested mapping of Content-Type to some mode in > eww, perhaps it would pass. That is exactly what I need, thanks > You demanded Org mode configured by default. Hmm, that could be some misunderstanding. I have .mailcap file and I know I can configure any browser to open any content type how I wish and want. My e-mail client Mutt is opening Org files sent by Sacha Chua in org mode with Emacs. It is my choice as user to skip downloading such files and inspecting them. If Mutt supports me, and Iceweasel, to open Org files with Emacs, why not Emacs's EWW cannot support me to open Org files with Emacs?? That is completely not logical. That is what I need and expect from EWW, it is more general and more useful to let user customize any content type to be opened how user wish and want. This is because in Org files I may have links and wish to open Gnumeric spreadsheet. For example, if I get text/markdown (or equivalent) it would invoke Markdown mode, for Org mode, it would invoke Org mode. > Org have enough means to execute arbitrary code with minimal efforts > from user side. E.g. value of table cell may be recalculated. Those are not issues of EWW, but of Org mode in general. Similarly, I can open spreadsheets by using Libreoffice or Gnumeric and such spreadsheets can execute macros, I do not know how "dangerous" it is, but that is my choice to decide upon it. Browser like EWW, being able to accept content types, should give to user the option to decide if to open PDF file by integrated PDF viewer or any external PDF viewer, or to download the file, or to open the file by user's customized function, mode or program. Setting up content types is freedom for users to do what they want with files. The security aspect is in this moment highly hypothetical as victims are not there. And it is matter of Org mode in general. Is there much of difference of opening Org file by using EWW or sending link to Org file to be downloaded and THEN opened by Emacs? User not knowledgable may execute arbitrary code anyway. Please do not blame the communication channel and users how some Org feature is unsafe. That is Org security issue, and not EWW issue. HTTP is for delivery of files. What user does with files is user's choice. In general any Emacs package offered for download is in general security risk, and we freely recommend them to each others. It is quite clear that it is not safe executing software which one does not understand or cannot decipher. https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html Me, as user, I am totally free to configure WWW server to serve something like "application/e-lisp" as content type, and to open that type with `emacs --batch file.el' if I want. "Insecurity" is thus integral part of user's choice. As Ihor and others mentioned, then it will be maybe up to user to use Org safe mode or similar. That is not business of web server, HTTP or browser. Those are delivery, retrieval and presentation tools > Org files originating from non-trusted sources must be carefully > evaluated before opening them in Emacs. Same applies to ANY kind of files that may be inherently insecure. While HTML is considered secure, Javascript less than HTML, but still contained, there are many many content types that may be insecure, startin with APK, proprietary sotware, EXE Windows files, any kind of programming languages, plugins, etc. Warnings are everywhere. Let users decide what is trusted or non trusted source. Programmers of free software shall give users freedom. I have full freedom to download Emacs Lisp packages and execute them on my computer. That is same. I just want it faster. And I also want it executed. I find it excellent that I can instruct web server to serve me Emacs lisp which I can then execute, great. It may not be your common usage scenario to find any use of it. I do. There is freedom to configure browser to open packages and install them right away, without inspecting anything. In proprietary software world that is exactly what billion of people already do, they download and execute proprietary software, there is plethora of insecurity issues there. That is up to Org mode to solve. It is similar to Emacs warning you about local variables. So put some warnings in Org mode. But do not blame browser. Browser is download, presentation and forwarding tool. In Firefox, Content type that otherwise is not configured in browser, may be either saved by default or browser may ask user how to open it by default. It is users' decision if something is safe to open or not. I am sure that safe Org mode will solve that issue. Instead of speaking hypothetically of insecurities about delivering Org mode over HTTP, let us look at numerous advantages of it, they are analogous to WWW HTML files: - Publish your Org notes on WWW, and use them from anywhere in the world, from any device running Emacs; remove cache if any in EWW, and files are gone; privacy preserved; - Use your Org files from any mobile device running Emacs; I have too many of them and in that case I need not synchronize it at all; - Fetch Org style reports, templates, and workflows, modify and report back to manager; - Browse from Org file to Org file, create Dynamic Knowledge Repositore that staff members, group members may access and deal with it; - Automatically publish Org agenda, Org files directly, without export, to WWW servers, and access from remove places; - HTTP offers authentication mechanisms to protect private data; I do not have special opinion of "publishing Org files" for unknown people, if such people are not member of the group. That would require training them to know what is Org mode, and finally why? Emacs is poor general browser tool. Greatest benefit of Org files being served and properly parsed by Emacs by using HTTP is personal and group based. It is not mainly for public use. But one could think of it being analogous to Gemini. https://gemini.circumlunar.space/ Public who does not use Emacs will not be interested in such. They may download Org files and open it from file system. Same insecurity exists by downloading them and opening them. > Sometimes Org developer and maintainers do not have enough resources > to react to security-related reports. An issue not so dangerous in > the current state becomes really weird if Org mode becomes a default > handler for files fetched from net. Your interpretation is improper, as you mentioned "default handler for files fetched from net" -- and I was very specific, for text/x-org content type that EWW get possibility to invoke org mode on such files. Quite logical. Emacs, Org mode and EWW, those shall work together. I am surprised that it does not. At least Russian Nginx WWW server supports me as user to configure it so to serve Org files as text/x-org. Though personally I have already found buggy solution with Emacs Lisp modification to eww render function. I must improve it. > You may fight for your right to freely shoot your legs but you must > be careful enough to not injury people around. Reputation of Emacs > may be significantly affected by the requested change. What a dramatic exaggeration! Congrats. > I am strongly against Org mode as a default handler for files > downloaded from web sites. Eww user option, if implemented, should > have prominent warning that particular mode may not be ready for > such usage and each case should be carefully evaluated for security > issues. Default handler is not necessary. It is enough if users can set up how to open different content types by which application or by which mode. It is now more general question, like why I cannot invoke Gnumeric on gnumeric files, or Libreoffice on spreadsheet delivered by HTTP? -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/