Allowed Clearnet resource switch

[purplesyringa]

Is your feature request related to a problem? Please describe.

Copied from this ZeroTalk thread:

So... I was surfing around and watching variety of zites at Sites.ZeroNetwork.bit.

Then, I've stumbled upon this zite: http://127.0.0.1:43110/1JNqdTGVATFWRLzzYwVu19CuWYus5VmoUS/

This is TorrentFreak's direct iframe. I mean, this is the fully operational website inside the ZeroNet frame, inserted there by another iframe. In user's data folder it simply looks like this:

<iframe src="https://torrentfreak.com/" style="position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;"></iframe>

Now, if you can allow any website to be rendered from the inside of zeronet iframe, it can possibly lead to some point of anonimity breach, no? I thought, that if you're inside the zeronet iframe, you should not be able to include any other iframes? It's just you can include anything as an iframe in your zite (and hide it), and the end-user won't even know it is there. The hidden iframe can do some malicious things (like monero mining, i.e.), and the page shown could be usual zite to held end-user's attention long enough.

Why iframing external http/https resources is allowed?

-- smashbuckler

Describe the solution you'd like
A switch on /Config:

Allow sites to use Clearnet resources:

• Yes
• Yes, but warn me when they do
• No

A whitelist should probably be implemented as well.

Additional context
This can probably be easily controlled with CSP: the current value works for the 'Yes' option, more limits can be added for 'No', and Content-Security-Policy-Report-Only should be used for warnings.

According to some random site on the internet, CSP value limit is around 2048 bytes which should be more than enough for our use cases, including potential URL whitelists.

[purplesyringa]

You didn't get the idea -- it's not about iframes in particular, it's about using Clearnet resources like images, scripts, APIs, etc. It looks like I didn't underline that in the issue body though -- sorry for that.

[purplesyringa]

Once again: this issue is not about mirroring entire websites; it's about ZeroNet-to-Clearnet communication.

[purplesyringa]

Take a look instead to this: #2644 (comment)

There is no need to fill this issue with useless references to other issues, I'll look at them anyway.

This iframe issue must wait for others opinions as well.

Oh god, do you get it that it's not about iframes at all? It's about scripts, or fonts, or APIs -- but not about iframes in particular.

[purplesyringa]

Wrong. Use case: ZeroNet social network that allows you to add and verify your email/Facebook/etc. This requires a call to an external service.

[purplesyringa]

You are using a social network right now - GitHub. I am not advocating for running Facebook on ZeroNet, i.e. a social network with censorship and spying. Linking external accounts, which is my use case, is not mandatory for the main service but is a nice bonus.

[purplesyringa]

For http://127.0.0.1:43110/1ADQAHsqsie5PBeQhQgjcKmUu3qdPFg6aA a lot of people would end up in jail and this is nothing compared to other sites on ZeroNet.

For hosting /tech/? Go on...

But to allow loading anything from facebook or any other network including from GitHub is strongly discouraged.

Even if that Clearnet site is API that was built for that very zite? Even if the request is POST /api/verify-email?.

[purplesyringa]

Are you willing to admit there are more use cases of email than verifying if a user is a bot? My ideology has always been that bots must have the same rights, if not more powerful, than users, so I'm not going to add captcha anytime soon. I just want to allow my users to attach emails to their accounts, keeping the following invariant: as long as you trust the site owner (me), you can be sure that if you send a email to that address, the right person will receive it.

[purplesyringa]

You can do that. And there is nothing wrong in doing that. But there are many people who want to use ZeroNet but have no idea what PGP is. For them, email verification is the way.

[purplesyringa]

I think if someone get that far that running ZeroNet probably learning about PGP is not that hard to do.

You are overestimating humans. Many people come to ZeroNet not because they don't know about alternatives, but because they are too hard to use for them.

[scsmash3r]

@imachug rage
@HelloZeroNet @shortcutme point_down

Should never load a goddamn thing from clearnet. This is totally against the purposes of the network.

Clearnet stuff can disappear or change to bad and than you site will have a meltdown.

I'm against anything which is on clearnet. ZeroNet is a refuge not a place to invite the Interpol and other agencies.

Lastly, any attempt to make connections to clearnet should be avoided in order to preserve anonymity. Even if you use Tor with ZeroNet cloudflare or any other American captcha protected "service" (which mainly makes profit on selling personal data) would seriously make your life very difficult. They, all blocking Tor. Maintaining anonymity with clearnet requests from ZeroNet for any purpose is irresponsible, dangerous and many people would end up in jail!

You downloaded ZeroNet client from clearnet, and you're now posting comments on GitHub, being on clearnet. Yet, you're against resource loading from clearnet. I think it is a good thing to allow to communicate with resources from all over the places on the net (zeronet to clearnet resource request). But it should be a matter of choice for any particular user: it is up to them to allow or to block such requests.

I think, such requests should be blocked by default, and only allowed per zite (if the zite depends on clearnet resource and want to request it) by the client, who is visiting the zite.

For now, requesting clearnet libraries or chunks of data is a great aid for data to spread, cause inside ZN network itself, in its current state, there often can be 0 peers. With initially blocked access to outer resources, more and more devs will count that moment and will try to migrate their resources fully into ZN network instead just linking them directly (cause it may not work).