webextension_local_filesystem_links
webextension_local_filesystem_links copied to clipboard
feinstaub
UNC path into whitelist
Hi!
we are setting up a wiki (DokuWiki) which has some links to folders and files into our server. If use the plugg-in (Local Filesystem Links) I am allowed to open those files/folders otherwise I am not. As far as I know this option is disabled in most browser for security reasons...
I would like to limit the files/folders I can directly open from the browser by using the whitelist. I would appreciate here some help since so far I did not manage to properly introduce the paths...
I am still testing, here some exemplary view of how the links look in DokuWiki:
[[\\localhost\e$\]]
[[\\pc-sim3\]]
[[\\srv-fs-01\daten|y-drive]]
How should my whitelist look like?
The following did not work because of invalid url:
*pc-sim3
*://pc-sim3
*://*pc-sim3
*localhost/e$/
The following did just not work:
*file://///localhost/e$/
In case to include that there is no way to include my UNC paths into the whitelist. How critic really is to keep the pluggin activated without any restriction?
Thanks in advance !!
Hi @carlesRT:
I think your understanding of the whitelist feature is wrong.
The URLs that are whitelisted, are web pages allowed to have file links. If the URL is not in the whitelist, the extension is not handling any links on that web page - it will be like any other web page with the extension disabled. It's not whitelisting the file links that are allowed. That would be another feature and is not implemented, at the moment. But I won't implement it, as it is pretty complicated to implemented and access permissions can be also controlled in the file system.
The idea behind the whitelist feature is that you're trusting that domain and allow all links to local files on that web page.
Safety
I think using the whitelist feature for your wiki should be enough to add more protection. I don't know any safety related issues with the extension enabled.
With the whitelist you know that there is no script that will do anything malicious with the file links. I've checked the safety in issue #16 - that's why the links to executables files are blocked by default.
With-out using the whitelist a page Javascript could trigger a file link to open the linked file but that's it - it can not get information about the content of the file nor can it send the data anywhere.
Hi @AWolf81,
thanks for the quick reply! ok, ok, I indeed missunderstood the use of the whitelist! 👍
I wasn't sure I could use this Add-on.... because I activated the Local Filesystem Links Add-on and with it I was able to open my links from the browser (Firefox) with any additional settings, i.e. the browser is now entitled to open any link with no restriction and as you can see from my 1st post I wasn't able to properly use the whitelist and with it restrict the use of links within our wiki.
I am no expert on security issues, I can only post a stackoverflow link with a discussion on the topic: "Why local links are disabled by default". Based on that... a question would be if it is better to set whitelist default value to * or rather keep it empty. I think that if it is set to * some users might oversee the implications behind .... while if you keep it empty some user might complain but everyone using it will have a better understanding of it.
My issue is solved, thanks! but I leave the issue open in case it is something you want to further discuss 👍 .
k. Regards, Carles