Open TrimmingFool opened 1 year ago
We can use GD to remove exif data from images before displaying them. However, we would need to create a new plugin and consider temporarily caching images processed. https://www.php.net/manual/en/book.image.php
Links should only be trusted (by default) if they belong to the domain of the RSS feed. We can distribute a whitelist file with preset values such as https://www.imdb.com/ so users can read movie reviews. noreferrer should be added to links for privacy.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem?
A less restricted view was first requested in https://github.com/Novik/ruTorrent/issues/2426. However, stickz worries that users may fall victim to phishing attacks if we show
<a>
links as in https://github.com/Novik/ruTorrent/pull/2429. Additionally, there is also a privacy threat when trying to show<img>
resources from an unknown source in the browser.Describe the solution you'd like
In my opinion, providing an option to show
<a>
links is reasonable since the user can hover the link to see where it leads. On the other hand,<img>
should not be fetched unless the request is proxied.Suggestions by stickz:
Further security/privacy feature ideas by me:
public
,private
) for individual RSS feeds, instead ofSecure
andInsecure
action.php?fetchurl=...
guid
(opened with dblclick) or the torrenturl
matches the RSS feed domainAdditional context
Novik suggested to add
noreferrer
to links https://github.com/Novik/ruTorrent/issues/2426#issuecomment-1368454942