On 03/02/2024 03:03, Ihor Radchenko wrote:
Max Nikulin writes:
--- 8< ---
#+setupfile: http://localhost:8000/setup-1234567890.org
test
--- >8 ---
[...]
Fixed, on bugfix.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=56748ea4e
Please confirm that the fix works on your side.
I have tried it with this specific scenario: open such a file (not a
mail message with an attachment) with http: URIs. "Skip" works as
expected now. I am unsure if any kind of remote files is blocked.
However it may be unclear for users that setting `t' for
`org-resource-download-policy' is dangerous if they use Emacs as a mail
client or as a handler for opening links to .org files in browsers. I
would consider adding "dangerous" to the label of this option and a
warning to the docscring.
Another my concern is an attack using an attachments with multiple
"#+setupfile:" keywords with remote URIs. Users will be tired declining
specific download requests without an option to ignore all remote
resources. I hope, C-g it is obvious enough and it works in gnus&Co. I
am unsure how to implement in Emacs an approach used e.g. in
Thunderbird. Remote content is blocked till an explicit user action and
a yellow bar with an unblock button is displayed at the top of the
message body pane.
