From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: Never send user email address in HTTP requests Date: Sun, 17 Dec 2023 16:44:46 +0200 Message-ID: <83edfkkhwh.fsf@gnu.org> References: <8734ybkqf4.fsf@disroot.org> <87sf54q2t8.fsf@posteo.net> <87o7etlzx7.fsf@posteo.net> <83v88xjipo.fsf@gnu.org> <83il4xj9cc.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16077"; mail-complaints-to="usenet@ciao.gmane.io" Cc: stefankangas@gmail.com, rms@gnu.org, philipk@posteo.net, akib@disroot.org, emacs-devel@gnu.org, monnier@iro.umontreal.ca To: Yuri Khan Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 17 15:46:28 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rEsPU-00042M-I2 for ged-emacs-devel@m.gmane-mx.org; Sun, 17 Dec 2023 15:46:28 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rEsOq-0006SO-NB; Sun, 17 Dec 2023 09:45:48 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEsOm-0006NN-Rm for emacs-devel@gnu.org; Sun, 17 Dec 2023 09:45:45 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEsOk-0004BD-Fz; Sun, 17 Dec 2023 09:45:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=ero5lWOIiierTRKj+0aw/EMcL1N4W8K9CNZPpSf6xIg=; b=kOnBLAQEMyWRl7U7eNHd tLUF349IDdkNtvOVYR/J8JbsYWH+DoeA+iu2rVS4SYrjEqE2A1RHhn0wiAvkEDPnqP+LE5DziIuza cAoJAOLoGnQbqMIEJCXNq4Ko4NNb2b1PP7/kHhgo1W0jzUGpPUyS9y2uJv521Pf/ms3gzQSJb/v+q wpy+r1myEAxLl6a7PATnRxq0jDAIMwwEcPlN2h8xwdysN2rjfior8HhWykKZdT/VmGaYEgQJmWy/X sv1JFpUXtTZtgGruCcI6rnHGl/s/hr80al+PVfsYfo8i/DWpUtRw8zMcq5EhleglY/seTxCI1ZiSM ibmKVmcYiNTAvg==; In-Reply-To: (message from Yuri Khan on Sun, 17 Dec 2023 21:05:00 +0700) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:313929 Archived-At: > From: Yuri Khan > Date: Sun, 17 Dec 2023 21:05:00 +0700 > Cc: Stefan Kangas , rms@gnu.org, philipk@posteo.net, > akib@disroot.org, emacs-devel@gnu.org, monnier@iro.umontreal.ca > > On Sun, 17 Dec 2023 at 19:36, Eli Zaretskii wrote: > > > Sorry, but I disagree. Emacs should not second-guess the users, and > > should certainly NOT force them into what we consider to be the secure > > environment. It is okay to behave securely by default, but if someone > > wants to be insecure, for whatever reasons, we should let them have > > the old, insecure behavior. Certainly when we first change the > > default, since there's a possibility that something will break for > > someone due to this change, and we need to let users have a fire > > escape in those cases, until we get our act together in the next > > release. > > The header in question, From, is governed by RFC 9110 § 10.1.2[0], which says: Thanks, but this isn't relevant to the issue at hand. > It is good that the default value of ‘url-privacy-level’ is (email), > preventing the leak by default, but there is no reason to make it > possible to configure url.el to leak it with every request made from > Emacs. If you’re running a spider and also just browsing the Web with > EWW, you probably only want requests from your spider to be attributed > to you as the spider maintainer. I remain convinced that we should allow users who actively want that to make their Emacs behave against any RFCs, when Emacs has been behaving like that for many years until now.