emacs-orgmode
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly


From: Jean Louis
Subject: Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly
Date: Wed, 26 Oct 2022 10:57:16 +0300
User-agent: Mutt/2.2.7+37 (a90f69b) (2022-09-02)

* Dr. Arne Babenhauserheide <arne_bab@web.de> [2022-10-26 01:02]:
> All of the Emacs packages have some amount of implicit trust.

Users are unaware what package may do, and packages are everywhere on
Internet. That is not a problem that I wish to solve.

> If you ask me whether I can make this work safely: This would first
> require the introduction of a safe-org-mode which strictly disables all
> features that can execute remote code or disguise unsafe operations as
> safe ones. If a user then decides to explicitly call M-x org-mode,
> that’s their problem.

Thanks, though, that was not my request.

Please note that you miss very important issue, and that is that all
browsers support customization on how to open specific content types,
so it is quite trivial to customize in browser to open Common Lisp
program with Common Lisp. 

Thus all of browsers who allow content type customization are
analogous to problem you are presenting, which in fact is no practical
problem at all. 

Find the victim first, then present the problem.

To understand is that content type opening is generally not secure and
that it is user choice.

I am user of Org mode, and all I wish is to adapt eww to invoke
command "org-mode" once content type text/x-org has been recognized.

This way I can browse Org files directly, it is very useful for me as
I have bunch of files.

> If you ask me whether I know how to make this work unsafely: It likely
> won’t need a lot of elisp reading, but I do not, because I do not look
> for it, because if I did, I would not.

Well then 👀

> I do not want to be the one who caused the systems of eww users to get
> breached, or who helped opening that security hole.

See above, all other content types and URL links may be customized by
user to be opened how users want it. 

Your security presentation lacks the background knowledge.

See the attached screenshot how easy it was to customize IceWeasel or
Firefox derivate to open Org files by using Emacs client. I have
script called "edit" which invoces emacsclient.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]