Skip to content

docs: add CSS-based XSS and privacy leak prevention to non-goals #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 22, 2022
Merged

docs: add CSS-based XSS and privacy leak prevention to non-goals #646

merged 1 commit into from
Feb 22, 2022

Conversation

g-k
Copy link
Collaborator

@g-k g-k commented Feb 18, 2022

fix: #627

This one took me longer to get too than anticipated.

This PR does not claim support for any browsers in favor of waiting until we can test output in them E2E #242

willkg
willkg reviewed Feb 18, 2022
View reviewed changes
docs/goals.rst

* `browser leaks https://browserleaks.com/`_
* `HTTP leaks https://github.com/cure53/HTTPLeaks`_
* `XS leaks https://xsleaks.dev/`_
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add protecting users from clicking on urls that have malicious or harmful content. I think that's come up a few times and we haven't explicitly stated it's a non-goal.

Also, this non-goals list is pretty long. Maybe there's a better way to think about this? Maybe we can list Bleach's goals and then list everything else in a "These are the other things you should be thinking about that Bleach doesn't cover...." section?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add protecting users from clicking on urls that have malicious or harmful content.

Good call! In "Safely create links" we have:

Bleach does not try to verify the validity or safety of the domains linked to beyond being well-formed

so it seems weird to duplicate that into non-goals.

Maybe there's a better way to think about this?

Agreed! Maybe rewording them and moving them to FAQ page?

The non-goals is already unwieldy and could be unbounded. We could also cover some other common issues in it and link to it from the issue bug template with some "hey did you check the FAQ?" text.

Hopefully it'd make people more likely to read the goals page too.

willkg
willkg approved these changes Feb 18, 2022
View reviewed changes
Copy link
Member

@willkg willkg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's land it as it is now.

Before we do a 5.0.0 release, I'll do a pass through the docs (I forget what's in them--it's been a long while) and we can iterate over reducing, reorganizing, and clarifying then.

@g-k
Copy link
Collaborator Author

g-k commented Feb 22, 2022

ok sounds good. We have #397 for updating the docs.

@g-k g-k merged commit 78d311c into main Feb 22, 2022
@g-k g-k deleted the fix-627-define-supported-browsers-refine-sec-goals branch February 22, 2022 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willkg willkg willkg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

update goals / non-goals

2 participants

@g-k @willkg