[Python-modules-team] Bug#677929: Bug#677929: python-docutils: remote copy of MathJax needed to render maths
Guenter Milde
g.milde at quantentunnel.de
Wed Jul 4 18:40:05 UTC 2012
On 4.07.12, Julian Taylor wrote:
> On 07/04/2012 01:56 PM, Guenter Milde wrote:
> >> That is, if you open such document in a modern browser, it will happily
> >> download some JavaScript code from a remote site. I feel this violation
> >> of our users privacy (and a security concern).
> >
> > This depends on the browser settings of the user. Users concerned for
> > privacy and security will have safeguards in place, because browsing the
> > internet without these safeguards almost inevitable means to download and
> > execute JavaScript from remote sites. With JavaScript blocked, the user
> > will see the latex source, instead of a rendering.
> >
> > I agree that a web page should not use javascript without need. However,
> > the idea with mathjax as default math-output-format is to have something
> > that works "out of the box" for most users - all alternatives are
> > currently not up to the task but require additional configuration. I
> > checked the mathjax site and it appeared to be a serious project by
> > serious players (see http://www.mathjax.org/sponsors/).
> >
> > This is why I do not agree with labeling this as a "serious" bug.
> It is a serious bug.
> To the very least the url must be changed to the https one:
> https://c328740.ssl.cf1.rackcdn.com/mathjax/latest/MathJax.js
The problem with this URL is that it is rather cryptic which makes the
decision whether to extempt it from JavaScript bocking difficult.
While a man-in-the-middle attack is not to be excluded with plain http, the
same can be said for any web page containing JavaScript.
> But as Mathjax servers from some cloud service which has the same
> certificate for all frontend users, so you can't ensure that you really
> get the mathjax file you wanted even when you use their https transport.
Does this mean that Debian considers using the public MathJax server in
HTML documents a serious security threat?
Günter
More information about the Python-modules-team
mailing list