Thanks ermouth, I’m surprised my proposal made it through without discussion. I have the same question ;D
FWIW, this “leaks” the browser connection to the internet, not necessarily CouchDB instance data. For a production version of this, I would at least expect an opt-in button on that page, before loading remote content. My PR was meant to start this discussion :) Best Jan — > On 24. Jun 2020, at 10:33, ermouth <ermo...@gmail.com> wrote: > > Since I hadn’t received any answer at Github, I’d like to raise an > important CouchDB Fauxton security question publicly. > > One of the latest Fauxton PRs ( > https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed > to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to > IP collection of CouchDB instances (or subnets, that is even worse) > somewhere. > > Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points > to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are > not uncommon for very critical parts of infrastructure and security > projects, and I doubt anyone wants to expose node IPs to _whatever_ logs, > esp wordpress.com. > > So I’d like to ask devs and users: does anyone think adding news to the > admin panel worth creating such a security hole? > > ermouth
