nextcloud-drawio

nextcloud-drawio copied to clipboard

We have users complaining to us (draw.io) that the default war we provide makes calls to external sites when they run it with NextCloud. It would be useful if the admin screen had a tickbox called something like "private mode" that added the appropriate URL parameters to the draw.io URL to switch off external connections. I think that's stealth=1, but need to double check.

We're happy to sponsor this work (pay for it).

Doesn't seem to be a big thing. I can work on this as I already did some changes in the configuration backend (see #41).

I added a privacy option in my own server and the parameter "stealth=1" is added now in the URL, when this option is set. However, external connections are still there.

I tested this with https://www.draw.io as well as with my own hosted server - no difference. In fact, stealth=1 does not change anyhing at all. The following external resources are always requested:

https://cdn.mathjax.org/mathjax/contrib/a11y/accessibility-menu.js?V=2.7.0
https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-MML-AM_HTMLorMML
https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/config/TeX-MML-AM_HTMLorMML.js?V=2.7.0
https://www.jgraph.com/drawio-footer.js

What "stealth=1" really does, is to avoid connections to Google Drive and OneDrive, see yourself:

https://www.draw.io/ https://www.draw.io/?stealth=1

However - for the embedded version inside Nextcloud, Google Drive and OneDrive don't get used anyway, so stealth=1 does not make any difference.

Oh - and BTW: external services are still useable as well. PDF export is also possible with stealth=1.

If you want to check my changes, if there is anything missing:

https://github.com/arnowelzel/nextcloud-drawio/commit/bfbc0143a135a3c47e39ce91520f7e684d3a1d3f

After checking https://desk.draw.io/support/solutions/articles/16000042546-what-url-parameters-are-supported- and experimenting a bit with other parameters as well, I believe the right parameter is offline=1 and not stealth=1:

Shortcut for db=0&gapi=0&math=0&picker=0&analytics=0 and disables all remote operations and features, such as i18n (english only), remote images, google/dropbox integration and plugins

And indeed - when using this parameter, all external resource requests are gone. So a combination of stealth=1&offline=1 is the parameter you want to add to get better privacy - of course with less features then as well. Did some additional changes: https://github.com/arnowelzel/nextcloud-drawio/commit/a4ca8111313844c47c4a30075651858557918872

@pawelrojek Obviously, you're a busy person, so given @arnowelzel's contributions is there any scope to make him a project admin (assuming Arno doesn't object) to help you with the load?

@davidjgraph @pawelrojek No objections here. I'd be glad to help if needed.

@arnowelzel I just checked PDF export in stealth mode, it sends me to the built-in PDF generation, this isn't using the remote PDF service. That's using latest Firefox (60.0.2) on MacOS 10.13.5 navigating to https://www.draw.io/?splash=0&stealth=1, drawing a simple diagram and selecting File->Export As->PDF.

What should happen is we use the print to PDF functionality from print preview available in Chrome or MacOS.

Stealth=1 should (TM) be the right parameter, offline=1 will store the app in the appcache and load from there first. math=0 will stop the MathJax code loading. Stealth=1 should really disable remote footer loading, that's a bug.

@davidjgraph What "built-in PDF generation"? I just get a print dialog with no PDF at all. Just the dialog title is "PDF" and not "Print" - but it behaves exaclty like the print dialog (tested with Firefox 60.0):

When I click "Print" the print dialog of my operating system appears and "Preview" will just show a preview in the browser - but this is not a PDF but HTML with embedded SVG.

PS: We should continue the discussion about PDF and stealth mode to https://github.com/jgraph/drawio/issues/275.

The OS or browser PDF generation, if available. We could disable the menu option if you're not using Chrome or MacOS. If you've installed a print to PDF function, it could probably be reasonably assumed you know to use it.

@pawelrojek I have to share Arno's original concerns a little now. You're obviously an extremely busy person, wouldn't sharing some of your workload out help that? You're the only admin to this project and to the draw.io NextCloud app entry. Under what conditions would you consider adding additional admins?

@davidjgraph You're right and I'm really sorry for all the delays. More admins seems like the best way to go for the good of this project.

No need to apologize, let others help you out so you don't get nagged so much 8-)