Project

General

Profile

Bug #9429

Liferea internal browser's Javascript should be disabled by default

Added by emmapeel over 4 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
05/19/2015
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Feed Reader

Description

Reported by user.

Liferea RSS reader comes with an internal browser. Javascript can be disabled on it, but comes enabled by default in Tails.

User claims that no RSS feed uses Javascript and that this can lead to a zeroday because the feeds don't do TLS.

Can somebody have a look at this?


Related issues

Related to Tails - Feature #5711: Persistence preset: Liferea Rejected 11/04/2013
Related to Tails - Bug #15776: Remove Liferea Resolved 08/09/2018

History

#2 Updated by sajolida over 4 years ago

#3 Updated by sajolida over 4 years ago

  • Type of work changed from Audit to Research

We've already discussed this issue when considering moving to Liferea 1.10.3. Our conclusion was that we should move out of Liferea and advertise Icedove for RSS feed reading. See #5711.

For the time being, the question you're raising here might still apply if it's possible to disable JavaScript in Liferea. So I'm marking this as a Research ticket.

Maybe we should create a ticket about getting rid of Liferea blocked by #5663 (Return to Icedove) to make sure we're moving forward on this front as soon as possible.

#4 Updated by intrigeri over 4 years ago

  • Status changed from New to Confirmed

Maybe we should create a ticket about getting rid of Liferea blocked by #5663 (Return to Icedove) to make sure we're moving forward on this front as soon as possible.

I think that's indeed what we should do, once #7626 is resolved.

#5 Updated by emmapeel over 4 years ago

A little more information:

I could not find a text file with the skel or default options in tails repo (maybe because of #5711), but I can see it on the graphic interface of Liferea, on Tools/Preferences/Browser/Internal Browser settings.

#6 Updated by sajolida almost 4 years ago

  • Priority changed from Normal to Low

I think that low prio as we should instead focus on replacing Liferea #11082.

#7 Updated by sajolida over 3 years ago

  • Affected tool set to Feed Reader

#8 Updated by u over 1 year ago

#9 Updated by u over 1 year ago

  • Status changed from Confirmed to Rejected

3.9 will have the deprecation wrapper + updated doc that recommends Thunderbird instead of Liferea (#11082). Then as per #11082#note-17 we shall remove Liferea in 3.10 or 3.11. → rejecting.

Also available in: Atom PDF