kiwix-desktop icon indicating copy to clipboard operation
kiwix-desktop copied to clipboard

Published 20 hours ago verified publisher icon kiwix

Feature request: option to block all external elements

Open ghost opened this issue 2 years ago • 3 comments

Currently if in the page source an href, src, or link tag points to an external resource, kiwix-desktop will try to load it. I would like an option for kiwix to not load it.

I think also Kiwix should think about more protections in the case of a malicious zim file (to my knowledge, so far unseen). Perhaps also an option to disable javascript?

ghost avatar Nov 18 '22 08:11 ghost

Just to say this can be done quite easily by injecting a Content Security Policy into the article before it is rendered by the browser. We already do this in Kiwix JS for Windows and Linux here. This guarantees that no external content will be loaded by the browser / web view, which is especially important for Zimit-based archives, where it is extremely easy for the user to end up browsing the Web without realizing it.

Jaifroid avatar Nov 21 '22 06:11 Jaifroid

I'm pretty much in favour of this feature request

kelson42 avatar Aug 12 '23 18:08 kelson42

Can either be done with a CSP added to the content, or else with a CSP or other block of external fetch requests on the webview, I'd have thought. Like what was done with Kiwix Serve.

Jaifroid avatar Aug 13 '23 08:08 Jaifroid

I think blocking external fetches is the way to go. We can just block requests that do not "zim://".

For the CSP injection, I can see blockers on my side from my previous knowledge:

  1. I am not aware of any way to retrieve the Zim HTML before it is rendered.
  2. The setHtml method for QWebEngineView fails on my side with something like gio: data:text/html;charset=UTF-8,%3Cbody%3E%3C%2Fbody%3E: Operation not supported and I cannot find any information online about why this happens.

@kelson42 @veloman-yunkan Do you have any knowledge on the two issues described here? If not I think we can go forward with the blocking approach.

ShaopengLin avatar May 20 '24 02:05 ShaopengLin

I think blocking external fetches is the way to go. We can just block requests that do not "zim://".

LGTM but obviously opening external link via third party browser should continue to work.

kelson42 avatar May 20 '24 09:05 kelson42

@ShaopengLin Any chance to move forward on this today?

kelson42 avatar May 23 '24 04:05 kelson42

On it right now. Had courses during the day. Should be ready soon (also moving to a feature branch as you mentioned).

ShaopengLin avatar May 23 '24 04:05 ShaopengLin

@kelson42 I will add javascript disabling in a separate PR.

ShaopengLin avatar May 23 '24 07:05 ShaopengLin

@kelson42 I will add javascript disabling in a separate PR.

Please don't implement the option to disable js. We just want to avoid network traffic to the outside coming from ZIM content.

kelson42 avatar May 23 '24 08:05 kelson42