On 4.07.12, Julian Taylor wrote: > On 07/04/2012 01:56 PM, Guenter Milde wrote: > >> That is, if you open such document in a modern browser, it will happily > >> download some JavaScript code from a remote site. I feel this violation > >> of our users privacy (and a security concern). > > > > This depends on the browser settings of the user. Users concerned for > > privacy and security will have safeguards in place, because browsing the > > internet without these safeguards almost inevitable means to download and > > execute JavaScript from remote sites. With JavaScript blocked, the user > > will see the latex source, instead of a rendering. > > > > I agree that a web page should not use javascript without need. However, > > the idea with mathjax as default math-output-format is to have something > > that works "out of the box" for most users - all alternatives are > > currently not up to the task but require additional configuration. I > > checked the mathjax site and it appeared to be a serious project by > > serious players (see http://www.mathjax.org/sponsors/). > > > > This is why I do not agree with labeling this as a "serious" bug.
> It is a serious bug. > To the very least the url must be changed to the https one: > https://c328740.ssl.cf1.rackcdn.com/mathjax/latest/MathJax.js The problem with this URL is that it is rather cryptic which makes the decision whether to extempt it from JavaScript bocking difficult. While a man-in-the-middle attack is not to be excluded with plain http, the same can be said for any web page containing JavaScript. > But as Mathjax servers from some cloud service which has the same > certificate for all frontend users, so you can't ensure that you really > get the mathjax file you wanted even when you use their https transport. Does this mean that Debian considers using the public MathJax server in HTML documents a serious security threat? Günter -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
