bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

[Dr. Arne Babenhauserheide]

Jean Louis <bugs@gnu.support> writes:

> * Dr. Arne Babenhauserheide <arne_bab@web.de> [2022-10-28 01:11]:
>> 
>> Max Nikulin <manikulin@gmail.com> writes:
>> 
>> > How are you going to distinguish your personal files and arbitrary
>> > files from non-trusted sources? By signing your files and maintaining
>> > list of trusted certificates?
>> 
>> One idea that could work well is to add an explicit allow-list
>> trusted-sources-to-allow-unsafe-modes with entries of domain and
>> path-prefix where people can add trusted sources.
>
> That implies that for every content type you are supposed to do the
> same.

No, you misunderstood the proposal.

> And what makes you want to limit people how they want to run their Org
> files?

The wish to limit the fallout when¹ this gets weaponized by criminals.

If you explicitly allow-list trusted sources, bad actors have to take
over your trusted server to attack you. That’s much less likely than bad
actors taking over some random long-unmainted server of a link you
stumbled upon.

¹: when, not if.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

signature.asc
Description: PGP signature