From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id eKKOBryyw2W/rgAA62LTzQ:P1 (envelope-from ) for ; Wed, 07 Feb 2024 17:41:32 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id eKKOBryyw2W/rgAA62LTzQ (envelope-from ) for ; Wed, 07 Feb 2024 17:41:32 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707324092; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8WrXUgUJzXHNkIX8+QnoQ/XF/6QJXK6gB3Bfv65pahM=; b=Zjro/SMvE/zOeQEcC2gQVQ7Y9dLvNvr5Ixbw+yxPQZIElhp8uHJyh+h8AHySjVZ/QTmrR3 JUTagV1TuoyG5CmlTte4BIb0+4iJFskBddPr4+xinXX8sfpjL/i4w01qcHrGVNTWVD5KWu c+SU9M/40l+vNLYWsE/MU2QNN5eQ+gu5wZe2Zm9wK5hk+Joy1dZt3uqscNnEuoxx1tj3ac f1Dj2g3fqhqueRi7Ai0pC2GV9D0EwdN23VBHie9ag/hk6KeYbW7GkIlJAVWeHTBD1eU1pJ AjFY7/pZbPsCJXDCA+7oy0XfmE83OeoTcnFotUs0df60agW6VX5eMjiIXz9zmQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1707324092; a=rsa-sha256; cv=none; b=iUrnklDHQOhln/iZfjGGuI+DVKK0N+4w0BE6F8tatyftwYMmflGEWelaBmhKI9oYhG+xg+ qJq3QHrMKvJAuyr7+H6BW86Y/yEZBqTuVwiBAcsAoB6rO9TtrxwKP210QtROFxWKS//XX8 IMvi/D+3DJ4u8PoxsOo3wdIO0aofSdc/hJ+lyCH3fORN9Aq1zPnhoMYBeTZgHwDM5B52Hs ToEVPuQV+f/V2c9n34mQKvD+2HqHBbDf8IrYno4r8MlDQAdhXrE4r+DPQZu97Vd/qm2j/0 Ww6jQr3kZDbqBb9W791M/4rXk29jOzpujLasJkHy7ZtSrQktOAg13/sQHW1RZA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 03B0722B66 for ; Wed, 7 Feb 2024 17:41:31 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rXkyA-0006Hi-7I; Wed, 07 Feb 2024 11:40:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rXkxs-0005yt-SD for emacs-orgmode@gnu.org; Wed, 07 Feb 2024 11:40:02 -0500 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rXkxq-0006Kb-S3 for emacs-orgmode@gnu.org; Wed, 07 Feb 2024 11:39:59 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rXkxp-0005La-46 for emacs-orgmode@gnu.org; Wed, 07 Feb 2024 17:39:57 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [BUG] Org may fetch remote content without asking user consent Date: Wed, 7 Feb 2024 23:39:52 +0700 Message-ID: References: <87bk8s45ja.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird Content-Language: en-US, ru-RU In-Reply-To: <87bk8s45ja.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 27 X-Spam_score: 2.7 X-Spam_bar: ++ X-Spam_report: (2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URI_HEX=0.1 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 1.51 X-Spam-Score: 1.51 X-Migadu-Queue-Id: 03B0722B66 X-Migadu-Scanner: mx12.migadu.com X-TUID: cggQiS/SuvV3 On 07/02/2024 23:12, Ihor Radchenko wrote: > Max Nikulin writes: > >> #+setupfile: /dav:localhost#8000:/msg-123456.org [...] > I think we can enable checking for anything where `file-remote-p' > returns non-nil. It is a bit more tricky. Current file may be remote as well. Browsers have concept of same origin for applying security and privacy measures. Org needs something similar. In addition, TRAMP locations should be checked against `org-safe-remote-resources' as well.