Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Autolink and Link plugin suggests insecure hypertext transfer protocol #4825

Open
bpchasse opened this Issue Feb 12, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@bpchasse
Copy link

bpchasse commented Feb 12, 2019

Do you want to request a feature or report a bug?
bug
What is the current behavior?
Link plugin props to append insecure http protocol to external links.
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem via fiddle.tinymce.com or similar.
use link plugin to add www.fiddle.tinymce.com. Notice the propt suggests to add "http" rather than "https". Accept the promps and inspect the link that was added. Notice that the link uses "http" rather than "https".
What is the expected behavior?
"https://" (secure) protocol is appended by default, if no protocol is specificed and the link starts with "www."
Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?
v5, all browsers, all OSs

@blackcathikari

This comment has been minimized.

Copy link
Contributor

blackcathikari commented Feb 13, 2019

Note: Related to #4824.

I'll bring this up with the team, but I'm curious what your reasoning is behind why it should default to HTTPS @bpchasse ? Would a configuration option solve your use case?

@bpchasse

This comment has been minimized.

Copy link
Author

bpchasse commented Feb 13, 2019

@blackcathikari
TLDR: The justification is security.

Google Chrome (and other browsers) have a similar auto-append protocol feature for URLs entered into the navigation bar. They default to https:// as this is the secure protocol.
When a naive consumer of an application that uses tinymce adds a link via the editor, they may not be aware of the consequences of http:// over https://.
More browsers and security experts are pushing site to support https://.

Having a configuration option to specify default would also solve my use case.

Thank you for raising this to the team.

@blackcathikari

This comment has been minimized.

Copy link
Contributor

blackcathikari commented Feb 14, 2019

Thanks for the reply bpchasse. We thought it might be that, but were curious if you had a particular use case.

We've logged this and will look into it for a future release.

@bpchasse

This comment has been minimized.

Copy link
Author

bpchasse commented Feb 14, 2019

@blackcathikari

The specific use case is:

  1. user is typing a memo into an application via TinyMCE
  2. user adds a link to the memo via TinyMCE's Link plugin, the link does not specify a http protocol
  3. user is naive and is unaware of the differences between http:// and https://, and thus accepts the prompt.
  4. The memo containing the link is sent to another user.
  5. User2 clicks on the link (that now uses http://)
  6. User2 is subject to network security vulnerabilities associated with http://

The desired behavior:

  • a naive user who is unaware of the differences between http:// and https://, and thus accepts the prompt. https:// protocol is appended. Thus, User2 is not subject to network security vulnerabilities associated with http://
@TheSpyder

This comment has been minimized.

Copy link
Member

TheSpyder commented Feb 14, 2019

Not all sites support https even today, so we are a little hesitant to make it the default, but if we add the config option so it can be kept as http if desired then I think we can do this.

@lnewson lnewson changed the title Link plugin suggests insecure hypertext transfer protocol Autolink and Link plugin suggests insecure hypertext transfer protocol Mar 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.