Policy for opening url links in documents
Scott Kostyshak
skostysh at lyx.org
Wed Aug 16 18:33:30 UTC 2023
On Wed, Aug 16, 2023 at 06:30:38PM +0200, Daniel wrote:
>
> On 2023-08-16 16:35, Pavel Sanda wrote:
> > Hi,
> >
> > as a part of #12878 Stephan raised a question to what degree should we allow
> > opening external links which are part of citation in the document (or rather
> > part of .bib file).
> >
> > Currently we allow opening links stored in the "url" field of bibtex entry or
> > files stored in "file" field by entry in the context menu; what's worse we
> > don't show the link, so one can not check url itself - malevolent url can be
> > provided (e.g. attacker web site, or maybe url scheme trying to execute some
> > local stuff).
> >
> > (We also allow similar thing for hyperlink insets, but we at least show
> > the target in caption of the inset.)
> >
> > Now what are your opinions what we should do about it?
> > 1) nothing.
> > 2) add dialog before launching url. safer but super annoying.
> > 3) add dialog before launching url + dont ask again checkbox.
> > not implemented - we'll also need to add session keys, which
> > get erased often.
> > 4) add link target to context menu (non trivial to implement)
> > 5) add (by default disabled) checkbox in security preference to allow
> > opening links for citations and hyperlinks similarly as we do with
> > scripts.
> > 6) ?
> >
> >
> > I tend to go for 5, but there might be other options I did not think of...
>
> FWIW, I have seen only 1, 2 and 3 implemented in other applications when
> launching external URLs but none of the others.
>
> A possible
>
> 6) Per document enabling: when there are external URLs in a document that
> could be opened, a message appears at the top asking whether the document
> should be trusted in that respect.
>
> It's similar to how VS Code asks whether to enable extensions for a
> document. Not sure whether I like myself.
I think Daniel is talking about:
Document > Settings > Format > Output > "Allow running external programs"
Whether 5 or 6, I wonder if it would be helpful to combine the
preferences. i.e., have a preference "Trust document content", and then
allow the user finer control if they prefer?
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.lyx.org/pipermail/lyx-devel/attachments/20230816/6349ce44/attachment.asc>
More information about the lyx-devel
mailing list