From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Never send user email address in HTTP requests
Date: Sun, 17 Dec 2023 16:44:46 +0200
Message-ID: <83edfkkhwh.fsf@gnu.org>
References: <E1qsCy3-0005lX-EC@fencepost.gnu.org> <8734ybkqf4.fsf@disroot.org>
 <E1r3pvB-0007bF-51@fencepost.gnu.org> <87sf54q2t8.fsf@posteo.net>
 <E1r4Yem-0003g1-12@fencepost.gnu.org> <87o7etlzx7.fsf@posteo.net>
 <E1rEhiL-000269-TZ@fencepost.gnu.org>
 <CADwFkm=25J06VRJNgZFh87vg7HBRHMY1uy4mj5aMLhTXZNCOcg@mail.gmail.com>
 <83v88xjipo.fsf@gnu.org>
 <CADwFkmn8t4UTFcw=f0LMXYD1Os+fRY0yGf5-QBOJ6j6PJbYSsg@mail.gmail.com>
 <83il4xj9cc.fsf@gnu.org>
 <CAP_d_8U9FZ3qK2Gj-dNJ9m5Hffk-AZ1DAhkp32DLqCq3Xz5Zow@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="16077"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: stefankangas@gmail.com, rms@gnu.org, philipk@posteo.net,
 akib@disroot.org, emacs-devel@gnu.org, monnier@iro.umontreal.ca
To: Yuri Khan <yuri.v.khan@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 17 15:46:28 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1rEsPU-00042M-I2
	for ged-emacs-devel@m.gmane-mx.org; Sun, 17 Dec 2023 15:46:28 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1rEsOq-0006SO-NB; Sun, 17 Dec 2023 09:45:48 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>) id 1rEsOm-0006NN-Rm
 for emacs-devel@gnu.org; Sun, 17 Dec 2023 09:45:45 -0500
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1rEsOk-0004BD-Fz; Sun, 17 Dec 2023 09:45:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=ero5lWOIiierTRKj+0aw/EMcL1N4W8K9CNZPpSf6xIg=; b=kOnBLAQEMyWRl7U7eNHd
 tLUF349IDdkNtvOVYR/J8JbsYWH+DoeA+iu2rVS4SYrjEqE2A1RHhn0wiAvkEDPnqP+LE5DziIuza
 cAoJAOLoGnQbqMIEJCXNq4Ko4NNb2b1PP7/kHhgo1W0jzUGpPUyS9y2uJv521Pf/ms3gzQSJb/v+q
 wpy+r1myEAxLl6a7PATnRxq0jDAIMwwEcPlN2h8xwdysN2rjfior8HhWykKZdT/VmGaYEgQJmWy/X
 sv1JFpUXtTZtgGruCcI6rnHGl/s/hr80al+PVfsYfo8i/DWpUtRw8zMcq5EhleglY/seTxCI1ZiSM
 ibmKVmcYiNTAvg==;
In-Reply-To: <CAP_d_8U9FZ3qK2Gj-dNJ9m5Hffk-AZ1DAhkp32DLqCq3Xz5Zow@mail.gmail.com>
 (message from Yuri Khan on Sun, 17 Dec 2023 21:05:00 +0700)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:313929
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/313929>

> From: Yuri Khan <yuri.v.khan@gmail.com>
> Date: Sun, 17 Dec 2023 21:05:00 +0700
> Cc: Stefan Kangas <stefankangas@gmail.com>, rms@gnu.org, philipk@posteo.net, 
>  akib@disroot.org, emacs-devel@gnu.org, monnier@iro.umontreal.ca
> 
> On Sun, 17 Dec 2023 at 19:36, Eli Zaretskii <eliz@gnu.org> wrote:
> 
> > Sorry, but I disagree.  Emacs should not second-guess the users, and
> > should certainly NOT force them into what we consider to be the secure
> > environment.  It is okay to behave securely by default, but if someone
> > wants to be insecure, for whatever reasons, we should let them have
> > the old, insecure behavior.  Certainly when we first change the
> > default, since there's a possibility that something will break for
> > someone due to this change, and we need to let users have a fire
> > escape in those cases, until we get our act together in the next
> > release.
> 
> The header in question, From, is governed by RFC 9110 § 10.1.2[0], which says:

Thanks, but this isn't relevant to the issue at hand.

> It is good that the default value of ‘url-privacy-level’ is (email),
> preventing the leak by default, but there is no reason to make it
> possible to configure url.el to leak it with every request made from
> Emacs. If you’re running a spider and also just browsing the Web with
> EWW, you probably only want requests from your spider to be attributed
> to you as the spider maintainer.

I remain convinced that we should allow users who actively want that
to make their Emacs behave against any RFCs, when Emacs has been
behaving like that for many years until now.