Ihor Radchenko <yanta...@posteo.net> writes: >> Note that with the suggested feature, any link you follow risks being >> loaded in Org mode, before the user even has a chance to inspect the >> file. Which Org features, currently existing or introduced in the >> future, would EWW have to add workarounds for? > > That's not the case. Org never loads arbitrary code on loading the file > without querying the user.
We seem to be miscommunicating. In the above, I was merely referring to whether org-mode is run when visiting some URL or not, which AFAIU is a binary thing (it either does, or it doesn't). You seem to be talking about security features in org-mode itself, which is related, but not the same thing. I agree that there are various security features in org-mode. I still don't think that we should run org-mode just because some URL requests it. To reiterate what I said, security problems are hard to audit and discover. We shouldn't expose users to additional risks just to add such a minor convenience feature. It is not a good trade-off. > Strictly speaking, even eww-mode may run arbitrary code given that user > puts something into eww-mode-hook. My concern is not that the users should run their own code, but that they will inadvertently run (potentially malicious) code provided by others. > I'd say that it will be safer to take care about necessary precautions > rather than leaving the user with the only option to run org-mode > manually. Adding a `safe-org-mode' would be an improvement, but orthogonal to whether or not we should automatically load org-mode when visiting any URL that presents itself as serving an org file. I think we should not do the latter. > If necessary, we can introduce a special variable in Org mode that will > disable all the potential third-party code evaluation, even if user has > customized Org to execute code without prompt. That would also be an improvement, yes. It would be even better if such a variable supported whitelisting, so that users could mark only specific files as safe for these purposes.
