💾 Archived View for gemi.dev › gemini-mailing-list › 000717.gmi captured on 2024-05-12 at 16:13:33. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

"Spy pixels in emails have become endemic"

1. Stephane Bortzmeyer (stephane (a) sources.org)

It is not just a Web problem, it also plagues email. (I'm glad there
is no inline images in Gemini.)

https://www.bbc.com/news/technology-56071437

Link to individual message.

2. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 17, 2021, at 09:28, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> (I'm glad there is no inline images in Gemini.)

There are:  data:image/png;base64...

?0?

Link to individual message.

3. Stephane Bortzmeyer (stephane (a) sources.org)

On Wed, Feb 17, 2021 at 09:44:16AM +0100,
 Petite Abeille <petite.abeille at gmail.com> wrote 
 a message of 10 lines which said:

> There are:  data:image/png;base64...

You cannot turn that into a "spy pixel" since there is no extra
network request.

PS: how many clients display that?

Link to individual message.

4. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 17, 2021, at 10:19, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> You cannot turn that into a "spy pixel" since there is no extra
> network request.

Inline image was the topic.

> 
> PS: how many clients display that?

Mine does.

?0?

Link to individual message.

5. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 17, 2021, at 10:19, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> You cannot turn that into a "spy pixel" since there is no extra
> network request.

C: gemini://example.org
S: 30 gemini://example.org/trackerid
C: gemini://example.org/trackerid
S: 20 text/tracked

?0?

Link to individual message.

6. Louis Brauer (louis (a) brauer.family)

Am Mi, 17. Feb 2021, um 10:38, schrieb Petite Abeille:
> C: gemini://example.org
> S: 30 gemini://example.org/trackerid
> C: gemini://example.org/trackerid
> S: 20 text/tracked

A "data:base64..." embedded image, if there is such a thing in Gemini, 
doesn't trigger a network request.

- Louis

Link to individual message.

7. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 17, 2021, at 14:52, Louis Brauer <louis at brauer.family> wrote:
> 
> Am Mi, 17. Feb 2021, um 10:38, schrieb Petite Abeille:
>> C: gemini://example.org
>> S: 30 gemini://example.org/trackerid
>> C: gemini://example.org/trackerid
>> S: 20 text/tracked
> 
> A "data:base64..." embedded image, if there is such a thing in Gemini, 
doesn't trigger a network request.

The above was to illustrate the use of redirects to uniquely tag URLs, 
without any use consent. 

Nothing to do with data: URI. 

Even though a data URI could contains resources which could trigger network activities.

?0?

Link to individual message.

8. Louis Brauer (louis (a) brauer.family)

Am Mi, 17. Feb 2021, um 14:58, schrieb Petite Abeille:
> >> C: gemini://example.org
> >> S: 30 gemini://example.org/trackerid
> >> C: gemini://example.org/trackerid
> >> S: 20 text/tracked
> > 
> The above was to illustrate the use of redirects to uniquely tag URLs, 
> without any use consent. 
> 
> Nothing to do with data: URI. 
> 
> Even though a data URI could contains resources which could trigger 
> network activities.

Hm, I'm not a security or browser developer but do you have an example of 
a "data URI" that would trigger network activities in Gemini? I thought 
that Gemini spec was designed in a way to prevent that from happening.

Also: do you know any Gemini client that inlines images from non-local 
domains without explicit consent from the user? If so, we should open an 
issue because that is clearly against the spirit of Gemini. 

Regarding the request/response workflow you describe above: tracking 
happens already at the first request (and thanks to IPv6 every client has 
one or more unique IP addresses, and thanks to TLS every client has a 
unique signature in the request payload). 

- Louis

Link to individual message.

9. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 17, 2021, at 15:19, Louis Brauer <louis at brauer.family> wrote:
> 
> I thought that Gemini spec was designed in a way to prevent that from happening.

More of an aspiration than a reality.

> Regarding the request/response workflow you describe above: tracking 
happens already at the first request (and thanks to IPv6 every client has 
one or more unique IP addresses, and thanks to TLS every client has a 
unique signature in the request payload). 

Q.E.D.

?0?

Link to individual message.

10. Nathan Galt (mailinglists (a) ngalt.com)



> On Feb 17, 2021, at 6:19 AM, Louis Brauer <louis at brauer.family> wrote:
> 
> Am Mi, 17. Feb 2021, um 14:58, schrieb Petite Abeille:
>>>> C: gemini://example.org
>>>> S: 30 gemini://example.org/trackerid
>>>> C: gemini://example.org/trackerid
>>>> S: 20 text/tracked
>>> 
>> The above was to illustrate the use of redirects to uniquely tag URLs, 
>> without any use consent. 
>> 
>> Nothing to do with data: URI. 
>> 
>> Even though a data URI could contains resources which could trigger 
>> network activities.
> 
> Hm, I'm not a security or browser developer but do you have an example 
of a "data URI" that would trigger network activities in Gemini? I thought 
that Gemini spec was designed in a way to prevent that from happening.

SVG images would work nicely in data: URIs.

They can have JavaScript in them.

If I were making a graphical Gemini browser, I?d just decode the base64 
text and then hand the entire blob off to some SVG library, which, for all 
I know, might run the JavaScript.

Or it might not. I don?t remember seeing any SVG-decoding libraries that 
depended on Node.

Link to individual message.

11. Louis Brauer (louis (a) brauer.family)

Am Do, 18. Feb 2021, um 04:24, schrieb Nathan Galt:
> SVG images would work nicely in data: URIs.
> 
> They can have JavaScript in them.

Damn, just found that:
https://davidwalsh.name/javascript-in-svgs

Didn't realize that SVGs are just part of the DOM and can contain and run 
arbitrary JavaScript. I was a huge fan of SVGs until now :-).

Thanks for bringing that up.

- Louis

Link to individual message.

12. Oliver Simmons (oliversimmo (a) gmail.com)

If the library does run the JS (or make external requests in another
form) and not have an option to disable it I would consider that a bug
myself.
Myself I would always use separate files for SVG and images.

I think for data: URIs clients shouldn't process ones that have the
possibility to make network requests without the user explicitly
saying yes to it.
The spec kinda falls apart here as data: isn't a network protocol :/
> clients MUST NOT automatically make any network connections as part of 
displaying links whose scheme corresponds to a network protocol

How would data: even work in gemini text anyway?
Link lines are only supposed to be for *URLs* not URIs

Link to individual message.

13. Petite Abeille (petite.abeille (a) gmail.com)



> On Feb 18, 2021, at 14:35, Oliver Simmons <oliversimmo at gmail.com> wrote:
> 
> How would data: even work in gemini text anyway?
> Link lines are only supposed to be for *URLs* not URIs

Check the last 18-24 months of the mailing list archive :)

https://lists.orbitalfox.eu/archives/gemini/

For example:

gemini://gemi.dev/gemini-mailing-list/messages/001144.gmi

?0?

Link to individual message.

14. John Cowan (cowan (a) ccil.org)

On Thu, Feb 18, 2021 at 5:39 AM Louis Brauer <louis at brauer.family> wrote:


> Didn't realize that SVGs are just part of the DOM and can contain and run
> arbitrary JavaScript. I was a huge fan of SVGs until now :-).
>

There is a formal profile for SVG-without-DOM-or-CSS-or-JS called "SVG
Tiny", which comes in 1.1 and 1.2 flavors (1.2 added a few features that
are still considered safe).  If you want your graphical Gemini browser to
render such images, outfit it with an SVG Tiny renderer.  I don't know of
any fully conformant SVG Tiny 1.2 renderer at the moment, but svgirl claims
to convert any conformant input to a list of lines and curves to draw,
which can then be passed to any graphics library for actual rendering.



John Cowan          http://vrici.lojban.org/~cowan        cowan at ccil.org
Ahhh, I love documentation.                           --Stephen C.
Now I know that I know, and why I believe that I know it.
My epistemological needs are so satisfied right now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210218/5372
d358/attachment.htm>

Link to individual message.

15. easrng (easrng (a) gmail.com)

On February 18, 2021 3:24:34 AM UTC, Nathan Galt <mailinglists at ngalt.com>
wrote:
> ... for all I know, might run the JavaScript.

SVGs when rendered as images (on the web) can't make network calls or run
JS. I assume libraries expose this option.


SVGs can be used in web browsers several ways. These are the places they
can run JS.

- They can be loaded standalone with no HTML (by browsing directly to the
file)
- They can be inline as an <svg> tag
- They can be <embed>ded

They can also be used as an image, and can't run JS or make network
requests (ex. load fonts) if used this way
- They can be used as an <img> src
- They can be a CSS background

CSS and animations work everywhere.


-- 
? <https://www.google.com/teapot>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210221/542c
8508/attachment.htm>

Link to individual message.

---

Previous Thread: [ANN] View this mailing list on Gemini

Next Thread: Digital signature in gemini pages