Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ConverseJS automatically visits sent links #1228

Closed
alexara opened this issue Sep 29, 2018 · 4 comments

Comments

@alexara
Copy link

commented Sep 29, 2018

Hi! I sent myself a link to my personal website on the web.conversations.im, but I do not visit the link:

https://domain.tld/some/path

When I now look into the webserver log, I see:

"$IP_ADDRESS - - [29/Sep/2018:16:32:32 +0200] GET /some/path HTTP/1.1" 404 117 "https://domain.tld" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"

That means that links are automatically visited, which contradicts privacy.

I only recognized it, because uBlock Origin and uMatrix did block these requests in the first place as I usually block all 3rd party instances by default.

Edit: I now sent a direct link to an image and found that this image is automatically downloaded.

  1. Do you mind to introduce an option to disable this behavior?
  2. Since this feature is only about images, I would suggest only to attempt downloading images from direct links, i.e. which end with {jpg|bmp|png|tif|...}.

@alexara alexara changed the title ConverseJS automatically visit sent links ConverseJS automatically visits sent links Sep 29, 2018

@jcbrand

This comment has been minimized.

Copy link
Member

commented Oct 1, 2018

Do you mind to introduce an option to disable this behavior?

Yes, I'll look into it.

Since this feature is only about images, I would suggest only to attempt downloading images from direct links, i.e. which end with {jpg|bmp|png|tif|...}

TBH, I thought this was already the case, but looks like it isn't.

@jcbrand jcbrand added this to the 4.0.2 milestone Oct 1, 2018

@iNPUTmice

This comment has been minimized.

Copy link

commented Oct 2, 2018

Do you parse every link or only links that are repeated in the oob tag? (That’s how Conversations differentiates between 'attachments' (HTTP upload) and plain old links that are meant as links).

Also; it might be worth loading images only over HTTPS or it will trigger the 'unsafe elements' warning in the browser. If you decide to only auto load actual attachments (oob url) then limiting oneself to HTTPS isn’t really a problem because HTTP upload has TLS as a MUST anyway.

@jcbrand

This comment has been minimized.

Copy link
Member

commented Oct 3, 2018

Currently all links are checked whether they are images. I think a webchat client is subtly different from a mobile client in that people will more regularly just paste an image URL (which means it's not send as OOB) and then expect that image to render inline.

Concerning HTTP, we can probably add a button to be clicked to render the image inline (like on Conversations in some cases).

@jcbrand jcbrand modified the milestones: 4.0.2, 4.0.3 Oct 3, 2018

jcbrand added a commit that referenced this issue Oct 13, 2018

jcbrand added a commit that referenced this issue Oct 15, 2018

@jcbrand jcbrand closed this Oct 15, 2018

@jcbrand

This comment has been minimized.

Copy link
Member

commented Oct 15, 2018

There's now a new boolean option show_images_inline.

Besides this, Converse will only try to load as images those URLs that have a filename ending in one of the well-known image extensions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.