Re: [BUG] Unsolicited download of remote resources

[Max Nikulin]

On 03/02/2024 03:03, Ihor Radchenko wrote:
> Max Nikulin writes:
>
> > --- 8< ---
> > #+setupfile: http://localhost:8000/setup-1234567890.org
> >
> > test
> > --- >8 ---
[...]
> Fixed, on bugfix.
> https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=56748ea4e
>
> Please confirm that the fix works on your side.

I have tried it with this specific scenario: open such a file (not a 
mail message with an attachment) with http: URIs. "Skip" works as 
expected now. I am unsure if any kind of remote files is blocked.

However it may be unclear for users that setting `t' for 
`org-resource-download-policy' is dangerous if they use Emacs as a mail 
client or as a handler for opening links to .org files in browsers. I 
would consider adding "dangerous" to the label of this option and a 
warning to the docscring.

Another my concern is an attack using an attachments with multiple 
"#+setupfile:" keywords with remote URIs. Users will be tired declining 
specific download requests without an option to ignore all remote 
resources. I hope, C-g it is obvious enough and it works in gnus&Co. I 
am unsure how to implement in Emacs an approach used e.g. in 
Thunderbird. Remote content is blocked till an explicit user action and 
a yellow bar with an unblock button is displayed at the top of the 
message body pane.