EasyChat icon indicating copy to clipboard operation
EasyChat copied to clipboard
verified publisher icon Earu

Images embed from untrustworthy websites

Open unknao opened this issue 1 year ago • 8 comments

Title

unknao avatar Jun 28 '24 18:06 unknao

Oh No! Anyway

PAC3 has the same issue and no one is complaining there. I don't understand the paranoia of having content loaded from """""""""untrustworthy""""""""" websites.

If you want to be a schizo about it, setup an aggressive firewall on your own accord.

Cynosphere avatar Jun 28 '24 18:06 Cynosphere

It shouldn't be my responsibility to comb through every addon to see if its secure or not, also pac3 not having a website whitelist is an issue as well.

unknao avatar Jun 28 '24 18:06 unknao

It shouldn't be my responsibility to comb through every addon to see if its secure or not

It should be because URL whitelists are an antipattern and proxying is expensive, whether it be hosting or bandwidth, especially for hobby projects for a sandbox game.

There's not really a risk other than "oh no someone has my IP" which means jack shit modern day.

Cynosphere avatar Jun 28 '24 18:06 Cynosphere

If Starfall can have a website whitelist, so can easychat. Also comparing anything to pac3 as if it's an example to be followed... lol

unknao avatar Jun 28 '24 18:06 unknao

If Starfall can have a website whitelist, so can easychat.

Yeah cause we really need a bloated URL list of 200+ vanity domains from trusted image hosts to accommodate for everyone's needs because most of them are stubborn and won't switch off of their image host just to obey a stupid whitelist.

Plus you're complaining on an addon that's going to be archived at the end of the year that only a small minority of servers even use as is because everyone just uses Custom Chat, which has a URL whitelist anyways.

Maybe it's just time you find a better server then if you're paranoid about the players on it IP logging you or what not. ¯\_(ツ)_/¯

Cynosphere avatar Jun 28 '24 18:06 Cynosphere

I'm sure that if you argue in circles some more and say nothing of value that will validate your position on allowing ip grabbing that you are opted in to by default.

unknao avatar Jun 28 '24 18:06 unknao

On a more serious note, I've been aware of this for the longest time but there's no reasonable solution for this. Let me explain why:

  • whitelist If I implement a whitelist it would mean I have to maintain a giant table with a bunch of domains which frankly I'm not too much into. The other very apparent issue is that as soon as I do that I will get 9999 questions and issues about "why images don't work anymore?"

  • proxy/hosting content That would mean storing a bunch of non sense on a server which would be costly and also a legal liability. People tend to share all kinds of bad stuff on the internet

  • disabling images by default It's already partially the case but it's more of a way to protect people from nsfw/trash content by blurring the images. Although I could straight out not show them id be back with tons of questions and issues "why images no work?"

So ultimately what would probably work is letting the user decide what is trustworthy or not, but I feel like this is more of a client issue than a EasyChat issue.

Earu avatar Jun 29 '24 08:06 Earu

Closing as issue is stale and no fix / proper solution in sight.

Earu avatar Jul 11 '24 15:07 Earu

@unknao is right though. IP grabbing is an issue and anyone who tells me otherwise don't know what they're talking about. Anyways just go install https://github.com/CFC-Servers/cfc_cl_http_whitelist on your server and the problem will be solved because every addon having URL whitelisting code is a bit silly.

ghost avatar Dec 22 '24 20:12 ghost