[Webkit-unassigned] [Bug 182924] Potential privacy issue: DNS prefetching can be re-enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 21 13:13:19 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=182924
--- Comment #5 from Milan Crha <mcrha at redhat.com> ---
Tor users can enable the DNS prefetch in settings and it'll make them happy again. Evolution explicitly disables the prefetch. I didn't know all webkit has this disabled by default, good to know. As this will be all client-driven, there is no need to remove the setting and the code around it, it's all fine.
I believe the intention to have the page override this option is just a security hole, especially after Jens explained it (to me) in the GNOME bugzilla.
I hesitate to insert at the top of each generated HTML code by evolution (in iframe-s too?) a new <meta> first, to explicitly disable prefetch, then any similar tag in received mail would not enable it, but if you think it's the way to go, then let it be the way to go.
Another approach would be to have enable-dns-prefetch a three-state value:
1) enabled always
2) disabled always
3) disabled, but allow the page enable it (to mimic the current behaviour and
expectations)
and the most the page will be always able to disable DNS pefetch, but enable it only if the setting will be the value 3) from the above list.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180221/0d9239d9/attachment.html>
More information about the webkit-unassigned
mailing list