💾 Archived View for gemi.dev › gemini-mailing-list › 000717.gmi captured on 2023-11-04 at 13:03:47. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
It is not just a Web problem, it also plagues email. (I'm glad there is no inline images in Gemini.) https://www.bbc.com/news/technology-56071437
> On Feb 17, 2021, at 09:28, Stephane Bortzmeyer <stephane at sources.org> wrote: > > (I'm glad there is no inline images in Gemini.) There are: data:image/png;base64... ?0?
On Wed, Feb 17, 2021 at 09:44:16AM +0100, Petite Abeille <petite.abeille at gmail.com> wrote a message of 10 lines which said: > There are: data:image/png;base64... You cannot turn that into a "spy pixel" since there is no extra network request. PS: how many clients display that?
> On Feb 17, 2021, at 10:19, Stephane Bortzmeyer <stephane at sources.org> wrote: > > You cannot turn that into a "spy pixel" since there is no extra > network request. Inline image was the topic. > > PS: how many clients display that? Mine does. ?0?
> On Feb 17, 2021, at 10:19, Stephane Bortzmeyer <stephane at sources.org> wrote: > > You cannot turn that into a "spy pixel" since there is no extra > network request. C: gemini://example.org S: 30 gemini://example.org/trackerid C: gemini://example.org/trackerid S: 20 text/tracked ?0?
Am Mi, 17. Feb 2021, um 10:38, schrieb Petite Abeille: > C: gemini://example.org > S: 30 gemini://example.org/trackerid > C: gemini://example.org/trackerid > S: 20 text/tracked A "data:base64..." embedded image, if there is such a thing in Gemini, doesn't trigger a network request. - Louis
> On Feb 17, 2021, at 14:52, Louis Brauer <louis at brauer.family> wrote: > > Am Mi, 17. Feb 2021, um 10:38, schrieb Petite Abeille: >> C: gemini://example.org >> S: 30 gemini://example.org/trackerid >> C: gemini://example.org/trackerid >> S: 20 text/tracked > > A "data:base64..." embedded image, if there is such a thing in Gemini, doesn't trigger a network request. The above was to illustrate the use of redirects to uniquely tag URLs, without any use consent. Nothing to do with data: URI. Even though a data URI could contains resources which could trigger network activities. ?0?
Am Mi, 17. Feb 2021, um 14:58, schrieb Petite Abeille: > >> C: gemini://example.org > >> S: 30 gemini://example.org/trackerid > >> C: gemini://example.org/trackerid > >> S: 20 text/tracked > > > The above was to illustrate the use of redirects to uniquely tag URLs, > without any use consent. > > Nothing to do with data: URI. > > Even though a data URI could contains resources which could trigger > network activities. Hm, I'm not a security or browser developer but do you have an example of a "data URI" that would trigger network activities in Gemini? I thought that Gemini spec was designed in a way to prevent that from happening. Also: do you know any Gemini client that inlines images from non-local domains without explicit consent from the user? If so, we should open an issue because that is clearly against the spirit of Gemini. Regarding the request/response workflow you describe above: tracking happens already at the first request (and thanks to IPv6 every client has one or more unique IP addresses, and thanks to TLS every client has a unique signature in the request payload). - Louis
> On Feb 17, 2021, at 15:19, Louis Brauer <louis at brauer.family> wrote: > > I thought that Gemini spec was designed in a way to prevent that from happening. More of an aspiration than a reality. > Regarding the request/response workflow you describe above: tracking happens already at the first request (and thanks to IPv6 every client has one or more unique IP addresses, and thanks to TLS every client has a unique signature in the request payload). Q.E.D. ?0?
> On Feb 17, 2021, at 6:19 AM, Louis Brauer <louis at brauer.family> wrote: > > Am Mi, 17. Feb 2021, um 14:58, schrieb Petite Abeille: >>>> C: gemini://example.org >>>> S: 30 gemini://example.org/trackerid >>>> C: gemini://example.org/trackerid >>>> S: 20 text/tracked >>> >> The above was to illustrate the use of redirects to uniquely tag URLs, >> without any use consent. >> >> Nothing to do with data: URI. >> >> Even though a data URI could contains resources which could trigger >> network activities. > > Hm, I'm not a security or browser developer but do you have an example of a "data URI" that would trigger network activities in Gemini? I thought that Gemini spec was designed in a way to prevent that from happening. SVG images would work nicely in data: URIs. They can have JavaScript in them. If I were making a graphical Gemini browser, I?d just decode the base64 text and then hand the entire blob off to some SVG library, which, for all I know, might run the JavaScript. Or it might not. I don?t remember seeing any SVG-decoding libraries that depended on Node.
Am Do, 18. Feb 2021, um 04:24, schrieb Nathan Galt: > SVG images would work nicely in data: URIs. > > They can have JavaScript in them. Damn, just found that: https://davidwalsh.name/javascript-in-svgs Didn't realize that SVGs are just part of the DOM and can contain and run arbitrary JavaScript. I was a huge fan of SVGs until now :-). Thanks for bringing that up. - Louis
If the library does run the JS (or make external requests in another form) and not have an option to disable it I would consider that a bug myself. Myself I would always use separate files for SVG and images. I think for data: URIs clients shouldn't process ones that have the possibility to make network requests without the user explicitly saying yes to it. The spec kinda falls apart here as data: isn't a network protocol :/ > clients MUST NOT automatically make any network connections as part of displaying links whose scheme corresponds to a network protocol How would data: even work in gemini text anyway? Link lines are only supposed to be for *URLs* not URIs
> On Feb 18, 2021, at 14:35, Oliver Simmons <oliversimmo at gmail.com> wrote: > > How would data: even work in gemini text anyway? > Link lines are only supposed to be for *URLs* not URIs Check the last 18-24 months of the mailing list archive :) https://lists.orbitalfox.eu/archives/gemini/ For example: https://lists.orbitalfox.eu/archives/gemini/2020/001144.html ?0?
On Thu, Feb 18, 2021 at 5:39 AM Louis Brauer <louis at brauer.family> wrote: > Didn't realize that SVGs are just part of the DOM and can contain and run > arbitrary JavaScript. I was a huge fan of SVGs until now :-). > There is a formal profile for SVG-without-DOM-or-CSS-or-JS called "SVG Tiny", which comes in 1.1 and 1.2 flavors (1.2 added a few features that are still considered safe). If you want your graphical Gemini browser to render such images, outfit it with an SVG Tiny renderer. I don't know of any fully conformant SVG Tiny 1.2 renderer at the moment, but svgirl claims to convert any conformant input to a list of lines and curves to draw, which can then be passed to any graphics library for actual rendering. John Cowan http://vrici.lojban.org/~cowan cowan at ccil.org Ahhh, I love documentation. --Stephen C. Now I know that I know, and why I believe that I know it. My epistemological needs are so satisfied right now.
On February 18, 2021 3:24:34 AM UTC, Nathan Galt <mailinglists at ngalt.com> wrote: > ... for all I know, might run the JavaScript. SVGs when rendered as images (on the web) can't make network calls or run JS. I assume libraries expose this option. SVGs can be used in web browsers several ways. These are the places they can run JS. - They can be loaded standalone with no HTML (by browsing directly to the file) - They can be inline as an <svg> tag - They can be <embed>ded They can also be used as an image, and can't run JS or make network requests (ex. load fonts) if used this way - They can be used as an <img> src - They can be a CSS background CSS and animations work everywhere. -- ? <https://www.google.com/teapot>
---