On Thu, Aug 17, 2023 at 08:54:43AM +0200, Jürgen Spitzmüller wrote: > I am not sure we really need a pref to bypass this measure, or disable > the feature completely (as in needauth). This strikes me > overregulation.
I don't have clerar opinion here. > BTW are we talking URLs only or also links to local files? I am actually not sure what magic can be done with the scheme prefixes, like what happen on mac if you specify something else than "file:///" or if the file is executable and you call it with "open", so we should be careful here. > If the latter is also considered to be harmful, things will get significantly > more complicated if lyxpaperview.py is involved. That was the reason that lyxpaperview.py has already separated RC variable and is disabled by default. We could add one more warning in tooltip, that you enabling it is security risk. Or move that option to need auth section, so it's clear that it security-related option and you should know what you are doing. On the other hand to me the primary question is whether you trust the source of the document (basically someone else than you?), so the proposed warning dialog should imho ask whether you trust origin of the document and cover at once all three cases: - hyperlinks - citation urls - lyxpaperview seraches. Pavel -- lyx-devel mailing list [email protected] http://lists.lyx.org/mailman/listinfo/lyx-devel
