From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id MGv/N/jhyGX1GwAA62LTzQ:P1 (envelope-from ) for ; Sun, 11 Feb 2024 16:04:25 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id MGv/N/jhyGX1GwAA62LTzQ (envelope-from ) for ; Sun, 11 Feb 2024 16:04:25 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707663864; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=vsN9qnNpayY0s3ywzV4/TWSbvPYkxQbz97ebKyjf4kk=; b=XUXzzI3ld6oHISP/g934nlFkN5DfuDKl5LBqQN1mqrsGdlGnVPNr9CdExlvqOdXygc6xmo Wb9YU5zm4vHv1SEmi2EzU8Sc5xEVK0t989WoyLuTTlwaZN9A3r9fsJ4xRMLBrQu9QRZOtR FmUQAYhrGf8aICRuKcLHX9baj5hSq4Ij0ISDyl12q3kXCMTPNQQV6JAY8neOMXFPAp/m5T TSNyJsOAy3wvcZ8wuVpxVSDmN8ub0MdR37OdkM8aiZe5FAQUgH37ugx0Nu9jenKZZJoXrz 6edwTwnA7+mOR+V03x5tn2/KoDEsb4OkAlSlMliw7s/Tnn5wL6g/PUlCHI/H0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1707663864; a=rsa-sha256; cv=none; b=ZMj3NbhO5519qnBPO2a8alimZWLHxscBPDj1u8yGGlYyL7gbkgbEiWpl4o02WOLA2PC6h3 grB/49ZD44ThLUg4gZBDsUk5IBfUTr2SVeYwA8epxDll2FQDv+fG2Lci62JxEJIkwzQJjm apowtgvkhfLIOI7nRY8ckHZV4F1s8xjXXmhKNFZ/rcdaktVx09zUBXdKrBwzTEpbKxl9zZ tmo453DxxdA0Q1+c9X82dOmZ1yTjshMDakFXPxewZPtjprHLo3jyp1Zw0aXp7W3IT3L3k2 N2sWHzxmRGLj7I+SLtW2GgXZA+npfqLfvfCyEggykEIgC0Z/mioFHtqh5ExIow== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 815E246D56 for ; Sun, 11 Feb 2024 16:04:24 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rZBMu-0001p7-4B; Sun, 11 Feb 2024 10:03:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rZBMs-0001ow-PW for emacs-orgmode@gnu.org; Sun, 11 Feb 2024 10:03:42 -0500 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rZBMq-0001bt-K8 for emacs-orgmode@gnu.org; Sun, 11 Feb 2024 10:03:41 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rZBMm-000AeE-Pt for emacs-orgmode@gnu.org; Sun, 11 Feb 2024 16:03:36 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [BUG] Org may fetch remote content without asking user consent Date: Sun, 11 Feb 2024 22:03:27 +0700 Message-ID: References: <87bk8s45ja.fsf@localhost> <87a5ocqjy6.fsf@localhost> <874jej0zcb.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird Content-Language: en-US, ru-RU In-Reply-To: <874jej0zcb.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 26 X-Spam_score: 2.6 X-Spam_bar: ++ X-Spam_report: (2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 1.80 X-Migadu-Queue-Id: 815E246D56 X-Spam-Score: 1.80 X-Migadu-Scanner: mx11.migadu.com X-TUID: ol2v0RgZ5d+i On 08/02/2024 22:07, Ihor Radchenko wrote: > Max Nikulin writes: >>> Max Nikulin writes: >>> >>>> Browsers >>>> have concept of same origin for applying security and privacy measures. >> >> Consider a file opened as /ssh:host:org/test.org that has >> >> #+setupfile: /ssh:host:org/include.org >> >> Formally it is a remote file, actually it resides on the same host as >> the current document. Perhaps user consent is redundant. > > `org--safe-remote-resource-p' checks the containing Org file as well, in > addition to #+included URL. If my reading of the code is correct then it considers /ssh:host:org/include.org as safe if file:///ssh:host:org/test.org is added to `org-safe-remote-resources'. I was considering a case when there is no matching entry in `org-safe-remote-resources'. The user opens (C-x C-f) /ssh:host:org/test.org and likely it is enough to consider /ssh:host:org/include.org safe as well due to the same origin "/ssh:host:". >> I am not confident in proper policy though. When some URI matches a >> pattern in the safe list, likely it is suitable for files created by the >> user and it is not really safe to allow it for a mail message attachment. > > May you elaborate? Consider a user that has "#+include:" loaded from their own public repository and used for some babel computations. It is safe when included into user's files. I am not sure that it is safe for an org file opened through a link in the browser. Perhaps it is better to avoid included files in `org-safe-remote-resources' and add local directories there.