Policy for opening url links in documents
Daniel
xracoonx at gmx.de
Wed Aug 16 16:30:38 UTC 2023
On 2023-08-16 16:35, Pavel Sanda wrote:
> Hi,
>
> as a part of #12878 Stephan raised a question to what degree should we allow
> opening external links which are part of citation in the document (or rather
> part of .bib file).
>
> Currently we allow opening links stored in the "url" field of bibtex entry or
> files stored in "file" field by entry in the context menu; what's worse we
> don't show the link, so one can not check url itself - malevolent url can be
> provided (e.g. attacker web site, or maybe url scheme trying to execute some
> local stuff).
>
> (We also allow similar thing for hyperlink insets, but we at least show
> the target in caption of the inset.)
>
> Now what are your opinions what we should do about it?
> 1) nothing.
> 2) add dialog before launching url. safer but super annoying.
> 3) add dialog before launching url + dont ask again checkbox.
> not implemented - we'll also need to add session keys, which
> get erased often.
> 4) add link target to context menu (non trivial to implement)
> 5) add (by default disabled) checkbox in security preference to allow
> opening links for citations and hyperlinks similarly as we do with
> scripts.
> 6) ?
>
>
> I tend to go for 5, but there might be other options I did not think of...
FWIW, I have seen only 1, 2 and 3 implemented in other applications when
launching external URLs but none of the others.
A possible
6) Per document enabling: when there are external URLs in a document
that could be opened, a message appears at the top asking whether the
document should be trusted in that respect.
It's similar to how VS Code asks whether to enable extensions for a
document. Not sure whether I like myself.
Daniel
More information about the lyx-devel
mailing list