Open purplesyringa opened 3 years ago
purplesyringa
commented
3 years ago You didn't get the idea -- it's not about iframes in particular, it's about using Clearnet resources like images, scripts, APIs, etc. It looks like I didn't underline that in the issue body though -- sorry for that.
purplesyringa
commented
3 years ago Once again: this issue is not about mirroring entire websites; it's about ZeroNet-to-Clearnet communication.
purplesyringa
commented
3 years ago Take a look instead to this: #2644 (comment)
There is no need to fill this issue with useless references to other issues, I'll look at them anyway.
This iframe issue must wait for others opinions as well.
Oh god, do you get it that it's not about iframes at all? It's about scripts, or fonts, or APIs -- but not about iframes in particular.
purplesyringa
commented
3 years ago Wrong. Use case: ZeroNet social network that allows you to add and verify your email/Facebook/etc. This requires a call to an external service.
purplesyringa
commented
3 years ago You are using a social network right now - GitHub. I am not advocating for running Facebook on ZeroNet, i.e. a social network with censorship and spying. Linking external accounts, which is my use case, is not mandatory for the main service but is a nice bonus.
purplesyringa
commented
3 years ago For http://127.0.0.1:43110/1ADQAHsqsie5PBeQhQgjcKmUu3qdPFg6aA a lot of people would end up in jail and this is nothing compared to other sites on ZeroNet.
For hosting /tech/? Go on...
But to allow loading anything from facebook or any other network including from GitHub is strongly discouraged.
Even if that Clearnet site is API that was built for that very zite? Even if the request is POST /api/verify-email?.
purplesyringa
commented
3 years ago Are you willing to admit there are more use cases of email than verifying if a user is a bot? My ideology has always been that bots must have the same rights, if not more powerful, than users, so I'm not going to add captcha anytime soon. I just want to allow my users to attach emails to their accounts, keeping the following invariant: as long as you trust the site owner (me), you can be sure that if you send a email to that address, the right person will receive it.
purplesyringa
commented
3 years ago You can do that. And there is nothing wrong in doing that. But there are many people who want to use ZeroNet but have no idea what PGP is. For them, email verification is the way.
purplesyringa
commented
3 years ago I think if someone get that far that running ZeroNet probably learning about PGP is not that hard to do.
You are overestimating humans. Many people come to ZeroNet not because they don't know about alternatives, but because they are too hard to use for them.
scsmash3r
commented
3 years ago @imachug rage @HelloZeroNet @shortcutme point_down
Should never load a goddamn thing from clearnet. This is totally against the purposes of the network.
Clearnet stuff can disappear or change to bad and than you site will have a meltdown.
I'm against anything which is on clearnet. ZeroNet is a refuge not a place to invite the Interpol and other agencies.
Lastly, any attempt to make connections to clearnet should be avoided in order to preserve anonymity. Even if you use Tor with ZeroNet cloudflare or any other American captcha protected "service" (which mainly makes profit on selling personal data) would seriously make your life very difficult. They, all blocking Tor. Maintaining anonymity with clearnet requests from ZeroNet for any purpose is irresponsible, dangerous and many people would end up in jail!
You downloaded ZeroNet client from clearnet, and you're now posting comments on GitHub, being on clearnet. Yet, you're against resource loading from clearnet. I think it is a good thing to allow to communicate with resources from all over the places on the net (zeronet to clearnet resource request). But it should be a matter of choice for any particular user: it is up to them to allow or to block such requests.
I think, such requests should be blocked by default, and only allowed per zite (if the zite depends on clearnet resource and want to request it) by the client, who is visiting the zite.
For now, requesting clearnet libraries or chunks of data is a great aid for data to spread, cause inside ZN network itself, in its current state, there often can be 0 peers. With initially blocked access to outer resources, more and more devs will count that moment and will try to migrate their resources fully into ZN network instead just linking them directly (cause it may not work).
Is your feature request related to a problem? Please describe.
Copied from this ZeroTalk thread:
Describe the solution you'd like A switch on /Config:
Allow sites to use Clearnet resources:
A whitelist should probably be implemented as well.
Additional context This can probably be easily controlled with CSP: the current value works for the 'Yes' option, more limits can be added for 'No', and
Content-Security-Policy-Report-Onlyshould be used for warnings.According to some random site on the internet, CSP value limit is around 2048 bytes which should be more than enough for our use cases, including potential URL whitelists.