On Tue, Sep 15, 2009 at 07:54:44PM +0200, Justus Winter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
On Sat, Sep 12, 2009 at 02:08:48AM +0000, corvid wrote:
Jorge wrote:
On Sun, Sep 06, 2009 at 11:17:25PM +0000, corvid wrote:
I just put together a somewhat hacky patch to add "same host" and "same domain" for image loading from the tools button (or dillorc) http://www.dillo.org/test/img_loading_options.patch
I ran on it as long as I could tolerate images over dialup (not long :), so here it is, and I will clean it up if there is interest shown in getting it into dillo. Good! I've had a similar idea for a long time.
Since before the url filtering thread, I believe a simple blocking scheme based on same host/domain cuts most of the problem (bandwidth, privacy, tracking, web bugs etc).
I'd suggest to add the filtering function in Capi. This is to make a_Capi_open_url() call a check function, e.g.
if (Capi_filters_check_url(...) < 0) /* abort */
(you may add a ParentUrl DilloUrl to the webstructure).
The point is to be able to reuse and improve the filter. (e.g. for CSS urls, sound streams, etc).
(I would probably want to change the names of the dillorc choices for image loading, make the internal value into an enum, look at the loadImages/autoload_image code duplication, etc., etc... Oh, and look up how to fix the tools menu width...) Something like:
filter_remote_resources = {LOAD_ALL, SAME_HOST, SAME_DOMAIN}
should be enough to get started. I made a new one: http://www.dillo.org/test/filtering.1.patch
It doesn't have the menu stuff, so you have to set the preference.
Hm... With "same_host" many sites no longer work because they seem to use redirects (e.g. heise.de -> www.heise.de) And once I have entered heise.de, www.heise.de doesn't work either.
Generally, is it really a problem if we load url's from other hosts/domains?
Or would it be enough to not send cookies or HTTP authentication data when loading such "unsafe" urls? If you're trying to protect dillo users from {X,C}SRF attacks then stripping http authentication and cookies is a first step but it won't
Johannes Hofmann wrote: protect users of intranet applications that rely on the users ip address for authentication (think home routers with web interface).
Ouch. Is there some general agreement on what web browsers should do in this regard?