Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

[Dr. Arne Babenhauserheide]

Ihor Radchenko <yantar92@posteo.net> writes:

> If necessary, we can introduce a special variable in Org mode that will
> disable all the potential third-party code evaluation, even if user has
> customized Org to execute code without prompt.

If that would be part of org-mode, this would be close to a
safe-org-mode.

An important part in what I wrote about safe-org-mode is that it has to
ensure that what is shown cannot trick the user into thinking something
else would get run.

A way to reduce risk would be to introduce a domain-allow-list (or
prefix-allow-list) in eww for filetypes that could be unsafe, so you
could for example add "orgmode.org" to your allowlist and for those
domains org-files would auto-open in org-mode.

Such security risks have a tendency of getting weaponized down the road
when they really hurt. Like when people didn’t care about npm
dependencies and had them suddenly deleting their files. And opening in
the currently used Emacs may give a malicious file access to remote
files opened via tramp, even if you (by virtue of being careful) require
a password for the connection to sensitive servers. That way, running
something in Emacs can be even more dangerous than running it in the
shell.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

signature.asc
Description: PGP signature