From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id qIpDDFtdWGOtDQEAbAwnHQ (envelope-from ) for ; Wed, 26 Oct 2022 00:04:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id CKNsC1tdWGOaMQEAG6o9tA (envelope-from ) for ; Wed, 26 Oct 2022 00:04:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BAEC2B1C1 for ; Wed, 26 Oct 2022 00:04:10 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onS0J-0002w7-Kx; Tue, 25 Oct 2022 18:02:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onS0H-0002pK-LL; Tue, 25 Oct 2022 18:02:33 -0400 Received: from mout.web.de ([217.72.192.78]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onS0F-0004Pe-CY; Tue, 25 Oct 2022 18:02:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1666735315; bh=zHFgKp6nr/PSVarwXvFgCdtLAesTNO6Q95JOvrYfljg=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:Date:In-reply-to; b=J8iiBRtqdl38IhgYO2XLt77Mcyb8tLvHCXIQIJuapQpHDlAx4JFdt3UQH3HAkyi4m TNeUiMRs82OXDD2L5gmrabpC5nqnHulhbawlTOWz5QpCfhOBffDeKlJuFMoWqZkCt0 XNsIRX2gQBJEiHENkksZosSjD1APlWQ9oUq/WOyVD8tEIy9LLFHTMNvRBdDQEDqkF6 USf5tB5ksX6FGrrhfqJk/HXSKl3PWxKVXzZOi/tUib7YQHyJHFOMR5mh9n5Y4Rkypj 0PfKSsvqmkyOdKz8r/Efhog0ElSRH0qFULFmAwME8gKT7K/cKsKSXtI+NMmRPo1EoG LW61SmPKVo3yA== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Received: from fluss ([84.165.20.127]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MC0PP-1ovRp13vtF-00CExz; Wed, 26 Oct 2022 00:01:54 +0200 References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> User-agent: mu4e 1.8.9; emacs 28.1 From: "Dr. Arne Babenhauserheide" To: Jean Louis Cc: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Subject: Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Date: Tue, 25 Oct 2022 23:54:46 +0200 In-reply-to: Message-ID: <87r0yvsgtt.fsf@web.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Provags-ID: V03:K1:/Q5o4oLRr6wDbQOjc6XwGIVnhMJvVLAyyIpCMeM3vT+YSHLFVZv AZ6XV0S4+KKuCJY7hJ+RJzct8Q/57gEFbKfWSBLflRy8a/2gs9T3LoaS+2FR7tTM0dB9GXN 9ly4FN2Njs8tSvhMRJMT2Xqr3DAoqO/Faf4LYGtx1RHs8tTucKUmgv7L9nGHgREUy/y54xm S+gjeS7fI8wyhQ4dWxObw== UI-OutboundReport: notjunk:1;M01:P0:eBZBvbsRLAA=;xR8aLl9Pf48CdOy47DLlxeMMHe/ wc4jyFOKXrkotP0wVzmLOW+u/KE3xq5fLw40IkXM+VNiMGd/pInLb8EBxRDjy1vwfPQqQh5Mm eLUJk5CO2X30gcUcG3wP7RDZO+hmJ8rjRd6JJKbfnlibhf9c/KS9tFN0ZZx7iuX/pLYpbG6l+ chKxhag6mmJBpSKqRMDzzMH/WadfUmYa2yeTeA5ukWsz/Mw6PZ70AL/k16JnTKp4bGj6HdiPa dApUA6S36/V1uepwX2WFPXOt3TpK4iHsiX4HHEio1YjD2cTsUElomDlElpQkGsQU/mFFTieVZ gBYL13tDg3qTfKI5J9mw6Rm/sIZsiZzuiGKjjTg4J4Sg1kg7zcBv0FqMxtzt8x/+eV1cpX9BI gB63E0oo61uC7XDuP/IOTsJzl9BuSsWRG5oKxg0MvAx0xZqHrzunSAVZ3Q/9jApdhQ5S45fr0 zVMVIx3Sa3Abb4evFoibTZ63BImelNxRHA0/UTNi7Qu9Z8cJTPDHHFnZMmRchtd3qvhKrU28q OiTNY/QOudoZHmEJKUVtDi88mmWExzR1HfySbQJk8TA5JSDDUPOxTn7yiix96NXNOBH8alhUS xaI2h2wNvUvo9Ebpx2Q4tLyu4TptB56KLdXw/2XlZzJo/ydfyIZczDJ8o1xNzABIhG+OblkXE R6P1JaD2lwi0b9t+OdzrFb+2ge5ehJ/GZtEV6CsYWCZPaDCaruuOsirZx7+wOG0zp2A5znKpo 4k5wDhGKgURezmCxBk4KrUSk5E3VECz0nQWK+z37A62VmtBIkb81Em7xrMUUXNzfzSq8XtHfo Or/Q0DfoxbXtX0hU+0XWlR7Y3ROWG3mimLcvvW0qXyC7Rq9ZCgl3nYcULuNqARwLvk0CWkpbZ DU5gHOnqYlsT/KzQj37jn2sA+FmpbWYsVnTIOjOAR5s4iHm2UhpeOGwRV5t56EUIVo2cvhRjO aZr/nA== Received-SPF: pass client-ip=217.72.192.78; envelope-from=arne_bab@web.de; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666735450; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zHFgKp6nr/PSVarwXvFgCdtLAesTNO6Q95JOvrYfljg=; b=rS1Myg1zFlR5X/r3Ra0P4I9pU0mDIsJtYPQY9WyBOFsMDpUpIF2dlVETGiRTA4wPjoR2rG SSFPZdcbBCWG3PeFl18QYB8mRo4Ni/hnCFRDsF2NOxq0IyPY8TGAda2cYYC69EADdTPO3e ayCS2CpoCKxIvoUYn1xG0eZ5BLNBp6k8io3CcBkKR1Cm3KavG43QhW44kjAo7NK7SCjW/7 3T6LOnNp0zAY+ecreOzdhnjfGzMr7Ral/ZGEllAu9FiK4uRWz4jlZP/EJMp0cQusruLRVu xfMXREYh95oY9yv/Uc/fMkDGrvUJESSGV4tU2KIpk00rMHCsyHX6gtlSYijUkQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666735450; a=rsa-sha256; cv=none; b=cjVQVMLHxJXv2Bj2LaX3Xr6sJjUo232LBZpaTp1SzkIk06lFKGUkcvxgGEXUnyJ0xTCKeP d/5TiX2m6cDI+pgqAQgiTkMNMvcZ7Ll5lnUu54+aYNVzCEqjeOAdKZxnEr6rQ5PBpAESF7 bzqFt8FM5d/CerIK2zSBDEAGtu9YSv3wYD/TlNT6bd2EJjkXPNyD1AbiXhVFcj7ANjcTye qY1L2OYq/BYOd3mwcDZVtFW9L43KVyvlAD/CiCxlo7SjTHbS9MpyTxryNjo7flAhkpvj8f JFj4RvK3PgacCGmNkJpnU9n3yWXW83ovZvxCZZPduG8pbSaLgZg30ZCBlNsttw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=web.de header.s=s29768273 header.b=J8iiBRtq; dmarc=pass (policy=none) header.from=web.de; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -8.81 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=web.de header.s=s29768273 header.b=J8iiBRtq; dmarc=pass (policy=none) header.from=web.de; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: BAEC2B1C1 X-Spam-Score: -8.81 X-Migadu-Scanner: scn0.migadu.com X-TUID: iObbYGE3eVku --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jean Louis writes: > * Dr. Arne Babenhauserheide [2022-10-25 18:06]: >> > This wish request is related to Emacs EWW and Org mode. >> > >> > Please make EWW recognize Org file when served by WWW server. Currently >> > it does not recognize the MIME type text/x-org and opens the file as >> > text, it does not invoke the org mode. In my opinion, it should. >>=20 >> This sounds dangerous. Org mode can execute untrusted code, so this >> could trick people into running untrusted code with the permissions of >> their Emacs. > > I can always do that in Emacs, execute untrusted code. There are no > trust mechanisms for plethora of Emacs packages and codes distributed > over Internet.=20 All of the Emacs packages have some amount of implicit trust. Even melpa carefully vets packages nowadays. That=E2=80=99s not the case for some webs= ite you visit. > That was not my request. > > Do you know how to make this work? If you ask me whether I can make this work safely: This would first require the introduction of a safe-org-mode which strictly disables all features that can execute remote code or disguise unsafe operations as safe ones. If a user then decides to explicitly call M-x org-mode, that=E2=80=99s their problem. If you ask me whether I know how to make this work unsafely: It likely won=E2=80=99t need a lot of elisp reading, but I do not, because I do not l= ook for it, because if I did, I would not. I do not want to be the one who caused the systems of eww users to get breached, or who helped opening that security hole. Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein, ohne es zu merken. draketo.de --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmNYXNEQHGFybmVfYmFi QHdlYi5kZQAKCRAT741FJAPD6/u/EACdvzRwgIGAlxjp/6z1BteRyDu3JNYFiWSO 47xDts/npJGk9AVZbHijGPkfSGoteSAOW8VftLmJW/ie4MoiQMiJlnHgDA5QUFn4 juQ3IIw2qgEvirqwmYkNs37IEP3vI+7b4DybPveqZ/Qi47cG2MAqKrXZOwi67t39 ywAdGhqoRuMtPoX04WjvM2E+WzF0D1bCvhp8NddD1LbHuj8PqS/GdDMEAvfF0SH2 szc3I5XpqZNoigwQKtBGQz0pRmmKoHuLBXQDJ5cTIjKy53q8qxj0/QjS3YbiiNtq WmastEomWcehTBVlxBATGHgr99VrsnSa95UekAZ3EeQidGlYpBVSTyc4wbgHV0vl B1aDdH+oN7c0KaCw2538peOO08oZ2A1bOvLGMlN5SZzbn8fddXmj4Ay5pj8Jxt8D 2jPc/loHncK4YQYvPJDCnhRnaoUuFUNbjPrZPOHlotD+EFl+PEP9NzbHJHD9ow8H VraAOO+uCk8PdUB1/CvUNbmug59wIvN3VcA/Z/7SvkJgThYHoXFO6Rq1Ll+V+vpz BBiDEic9B6Uuej7CrczKa72mCWIzKrMFUNpc9XxMSp5V03MczB6U+GTYStULNTmo Ex1z8e9iqZkGzwRaMKvZw7o4vUAxkJ4FhOZ0v9DBUpLv86WWpTW7Mkpt7s+P0UMN /kLX9XMNaYjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmNYXNIQHGFy bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSL4qA/9z13IKgin31gnpx0AGJblvnxSp wO6FNOk1tsAWSfzW9mPaZfsj9b+yITLuLC35Drk5XoeTtZEvTyjYEQNlGgEktB1y kz0y4UJIE73EDwTpBn6JIM+fBBLjHaug3xzGfADJjAprujG2Lls7joKC4c01MJqZ 14evq4sxA2HjAfzgag== =Ye5I -----END PGP SIGNATURE----- --=-=-=--