Unnecessarily passing cleartext URLs of all pages visited to server

[00dani]

The "Indicate if page already saved" option is expected to make requests to your Wallabag server for every URL you visit, so it can check whether that URL is already saved. However, it currently uses the url query parameter to pass these URLs up as cleartext, and it doesn't need to.

The /api/entries/exists endpoint can instead be passed a hashed_url parameter, which is the SHA-1 hash of a URL and can also indicate whether a URL matching that hash exists on the server. Wallabagger should use this parameter instead, to avoid potentially leaking every URL you ever visit.

I don't know which versions of Wallabag support the hashed_url parameter, so it may be necessary to maintain support for cleartext checks as well. But making hashed_url available as an alternative option is certainly viable.

[Simounet]

This would be a great feature but I'm not sure if there is a tagged wallabag's version out there right now. Could you confirm this info @nicosomb or @j0k3r, please?

[j0k3r]

Not yet. I would like to release the 2.4.0 this month.

[Simounet]

Ok perfect. Will the generate-hashed-urls processing integrated to the update or manually launched by admins (just to be sure if I can count on this field after this precise version)?

[j0k3r]

It'll be listed in the how to upgrade, see https://github.com/wallabag/wallabag/pull/4361#issuecomment-716197638