golang / go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/pkgsite: image in readme and privacy #43114

Closed

pierrre opened this issue Dec 10, 2020 · 2 comments

Labels

NeedsInvestigation pkgsite

Milestone

pkgsite/unplanned

pierrre commented Dec 10, 2020

If a readme includes images, they're showed directly on pkg.go.dev.
It could cause privacy/security issue:

the image could be used to track users (statistics/IP/etc...)
if the image is "malicious", and the web browser has a bug, it could crash it, or execute arbitrary code

We should probably have an image proxy (similar to what Github does).

I'm surprised nobody reported it already.
I haven't found any similar issue on the tracker.
Maybe I didn't search correctly.

gopherbot added the pkgsite label

gopherbot added this to the Unreleased milestone

jamalc added the NeedsInvestigation label

jamalc modified the milestones: Unreleased, pkgsite/unplanned

Contributor

julieqiu commented Dec 10, 2020

Closing this as a duplicate of #37128.

julieqiu closed this

Author

pierrre commented Dec 11, 2020

sorry for the duplicate, I couldn't find this other issue in my search.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment