summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README47
1 files changed, 0 insertions, 47 deletions
diff --git a/README b/README
index 21e4c35..2467b7d 100644
--- a/README
+++ b/README
@@ -128,7 +128,6 @@ sfeed_opml_export - Generate an OPML XML file from a sfeedrc config file.
sfeed_opml_import - Generate a sfeedrc config file from an OPML XML file.
sfeed_mbox - Format feed data (TSV) to mbox.
sfeed_plain - Format feed data (TSV) to a plain-text list.
-sfeed_tail - Format unseen feed data (TSV) to a plain-text list.
sfeed_twtxt - Format feed data (TSV) to a twtxt feed.
sfeed_update - Update feeds and merge with old feeds in the directory
$HOME/.sfeed/feeds by default.
@@ -508,52 +507,6 @@ Now run:
Now you can view feeds in mutt(1) for example.
-Security considerations
------------------------
-
-About automated remote resource loading and content execution:
-
-Some feeds will use a tracking pixel (1x1 image size) in HTML content with some
-unique ID. Some even have embedded Javascript code, iframes, CSS. Opening such
-content and loading these resources automatically may leak unwanted
-information.
-
-For example on Slashdot:
-<img src="http://feeds.feedburner.com/~r/Slashdot/slashdot/~4/someid"
- height="1" width="1" alt=""/>
-
-If such content is opened in a typical webbrowser configuration this is
-insecure. Be aware opening a link in a page generated on the local filesystem
-or network has different privileges than one on a non-local domain.
-
-Recommendation:
-Do not handle content as HTML and avoid automated remote resource loading in
-content. Convert all content to plain-text in your formatting program.
-
-
-About handling links:
-
-Be careful about handling feed links.
-
-A malicious link could be: tel:some-phonenumber, file:// or some other protocol
-scheme which depending on the viewing program and system can have an action
-assigned.
-
-Another malicious link could be pointing to a local device, for example an
-(insecure) router: http://192.168.0.1/?reboot
-
-Recommendation:
-Filter specific by protocol and non-local domain. This can be done using a grep
-or awk filter or as a setting in your viewing program.
-
-See also:
-- RFC4287 (Atom): 8. Security Considerations:
- https://tools.ietf.org/html/rfc4287#section-8
-- RFC2854: 7. Security Considerations:
- https://tools.ietf.org/html/rfc2854
-- Filter examples: see the sfeed README file.
-
-
License
-------