x/pkgsite: image in readme and privacy #43114

pierrre · 2020-12-10T09:52:33Z

If a readme includes images, they're showed directly on pkg.go.dev.
It could cause privacy/security issue:

the image could be used to track users (statistics/IP/etc...)
if the image is "malicious", and the web browser has a bug, it could crash it, or execute arbitrary code

We should probably have an image proxy (similar to what Github does).

I'm surprised nobody reported it already.
I haven't found any similar issue on the tracker.
Maybe I didn't search correctly.

julieqiu · 2020-12-10T22:40:03Z

Closing this as a duplicate of #37128.

pierrre · 2020-12-11T07:39:00Z

sorry for the duplicate, I couldn't find this other issue in my search.

gopherbot added the pkgsite label Dec 10, 2020

gopherbot added this to the Unreleased milestone Dec 10, 2020

jamalc added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 10, 2020

jamalc modified the milestones: Unreleased, pkgsite/unplanned Dec 10, 2020

julieqiu closed this as completed Dec 10, 2020

golang locked and limited conversation to collaborators Dec 11, 2021

gopherbot added the FrozenDueToAge label Dec 11, 2021

Provide feedback