New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The imageUploadRemoteUrls should default to false #2323
Comments
@dswitzer most of the users want to have images which are inserted via an URL to be uploaded to their own server. |
IMO, the security aspect of this is super critical. I think most users would be surprised that images being pasted are being passed through your servers. And well you may be deleting them, what if that changes? What if there's a bug and the files are being wiped? I think it's great you're offering the service, but it should be something users opt-in to, not something that just happens. At a bare minimum, I think it has to be extremely clear that this is going to happen. I think most users upgrading from 2.7.0 to 2.7.1 would be surprised to find images might be getting sent to your servers. |
Thanks for the feedback, @dswitzer. I just checked the code of the |
Since the
imageUploadRemoteUrls
can send images to Froala servers, I suggest the default behavior of theimageUploadRemoteUrls
option should befalse
.Unless a person reads the documentation carefully, I think it's easy to miss that images may get proxied to https://cors-anywhere.froala.com which can lead to security concerns.
If the
imageUploadRemoteUrls
was defaulted to false, then this does not happen.Users can always enable this option if they need the functionality.
The text was updated successfully, but these errors were encountered: