ConverseJS automatically visits sent links #1228
Comments
alexara
changed the title
Yes, I'll look into it.
TBH, I thought this was already the case, but looks like it isn't. |
|
Do you parse every link or only links that are repeated in the oob tag? (That’s how Conversations differentiates between 'attachments' (HTTP upload) and plain old links that are meant as links). Also; it might be worth loading images only over HTTPS or it will trigger the 'unsafe elements' warning in the browser. If you decide to only auto load actual attachments (oob url) then limiting oneself to HTTPS isn’t really a problem because HTTP upload has TLS as a MUST anyway. |
|
Currently all links are checked whether they are images. I think a webchat client is subtly different from a mobile client in that people will more regularly just paste an image URL (which means it's not send as OOB) and then expect that image to render inline. Concerning HTTP, we can probably add a button to be clicked to render the image inline (like on Conversations in some cases). |
|
There's now a new boolean option Besides this, Converse will only try to load as images those URLs that have a filename ending in one of the well-known image extensions. |
Hi! I sent myself a link to my personal website on the
web.conversations.im, but I do not visit the link:When I now look into the webserver log, I see:
"$IP_ADDRESS - - [29/Sep/2018:16:32:32 +0200] GET /some/path HTTP/1.1" 404 117 "https://domain.tld" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"That means that links are automatically visited, which contradicts privacy.
I only recognized it, because
uBlock OriginanduMatrixdid block these requests in the first place as I usually block all 3rd party instances by default.Edit: I now sent a direct link to an image and found that this image is automatically downloaded.
The text was updated successfully, but these errors were encountered: