Proposa noves funcionalitats
#DecidimRoadmap Dissenyant el Decidim entre totes
[Security] Add an external link warning
**Is your feature request related to a problem? Please describe.**
Currently there are external links in Decidim, some of which can be entered by the participant users (comments, private messages, profile link, etc.). This can potentially expose the users to phishing attacks in case a malicious user enters a link to a site they control where they have implemented exactly the same layout as the source site. This kind of attempt could trick the user e.g. to enter their password on a site which is no longer the site they assume.
**Describe the solution you'd like**
There should be a special page inside Decidim which warns a user that they are about the leave the site to an external page. The user should be able to click a button to agree that they understand they are leaving the site. Clicking the button should open the actual target URL.
**Describe alternatives you've considered**
One alternative could be opening a popup on the same page which warns the user before agreeing to go to another page. This would, however, leave users without JavaScript enabled exposed to such attacks.
**Additional context**
Each of these "special" warning pages should have a unique URL in order not to affect how search engines process the links.
The special page should also have the "noindex" meta tag define on them in order to keep these warning pages out from the search indexes.
Additionally, I'd like some sort of a way to control the external links domain "whitelists" which would open without this warning. This could be needed e.g. for the city's own site's which generally do not expose such security issues.
In the attachment, there is an example of such warning page implemented at HackerOne.
**Does this issue could impact on users private data?**
Yes, it has a potential positive affect on users' private data, keeping them more secured.
**Funded by**
Not funded.
Llistat d'adhesions
Reportar contingut inapropiat
Aquest contingut no és apropiat?
4 comentaris
Conversa amb Andrés
I personally like the proposal. This is special relevant if the instance has the WYSIWYG editor enabled for proposals as this could be exploited. Also important to note is that as Decidim has a strong copyleft license, all the installation should be published free software, making this kind of attack easier. Finally, as you mentioned in the PR, this would at least partially mitigate the possible exploit fixed in https://github.com/decidim/decidim/pull/6445
I was looking for examples to show the UX to the rest of the @product team. Do you have any real-world cases of sites that implement this?
> Do you have any real-world cases of sites that implement this?
I mentined e.g. HackerOne as an example in the proposal. See e.g. the external links here:
https://hackerone.com/reports/179695
Facebook also implements it:
https://www.facebook.com/flx/warn/?u=https%3A%2F%2Fdecidim.org%2F
@andres Protonmail is implementation is nice : https://meta-decidim-production.s3.amazonaws.com/uploads/decidim/attachment/file/2811/thumbnail_Capture_d_e%CC%81cran_2020-12-13_a%CC%80_18.46.49.png
Hello I made a similar proposal which I just withdrawn.
Warning modal for external link
EU Commission funding could cover this.
Deixa el teu comentari
Inicia la sessió amb el teu compte o registra't per afegir el teu comentari.
Carregant els comentaris ...