On  4.07.12, Julian Taylor wrote:
> On 07/04/2012 01:56 PM, Guenter Milde wrote:
> >> That is, if you open such document in a modern browser, it will happily 
> >> download some JavaScript code from a remote site. I feel this violation 
> >> of our users privacy (and a security concern).
> > 
> > This depends on the browser settings of the user. Users concerned for
> > privacy and security will have safeguards in place, because browsing the
> > internet without these safeguards almost inevitable means to download and
> > execute JavaScript from remote sites. With JavaScript blocked, the user
> > will see the latex source, instead of a rendering. 
> > 
> > I agree that a web page should not use javascript without need. However,
> > the idea with mathjax as default math-output-format is to have something
> > that works "out of the box" for most users - all alternatives are
> > currently not up to the task but require additional configuration. I
> > checked the mathjax site and it appeared to be a serious project by
> > serious players (see http://www.mathjax.org/sponsors/). 
> > 
> > This is why I do not agree with labeling this as a "serious" bug.

> It is a serious bug.

> To the very least the url must be changed to the https one:
> https://c328740.ssl.cf1.rackcdn.com/mathjax/latest/MathJax.js

The problem with this URL is that it is rather cryptic which makes the
decision whether to extempt it from JavaScript bocking difficult.

While a man-in-the-middle attack is not to be excluded with plain http, the
same can be said for any web page containing JavaScript.

> But as Mathjax servers from some cloud service which has the same
> certificate for all frontend users, so you can't ensure that you really
> get the mathjax file you wanted even when you use their https transport.

Does this mean that Debian considers using the public MathJax server in
HTML documents a serious security threat?

Günter



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to