[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master 346e5712304: Never send user email address in HTTP requests

From: Stefan Kangas
Subject: master 346e5712304: Never send user email address in HTTP requests
Date: Sun, 17 Dec 2023 04:00:35 -0500 (EST)

branch: master
commit 346e5712304e66bb1b52387115b89d1966cf184b
Author: Stefan Kangas <stefankangas@gmail.com>
Commit: Stefan Kangas <stefankangas@gmail.com>

    Never send user email address in HTTP requests
    It used to be possible to customize 'url-privacy-level' so that the
    user's email address was sent along in HTTP requests.  Since
    'url-privacy-level' is also a blocklist, rather than an allowlist,
    this meant that a mere misconfiguration of Emacs risked exposing the
    user's email address.  This is a serious privacy risk, and it is thus
    better if we remove this dangerous feature altogether.
    * lisp/url/url-http.el (url-http-create-request): Never send the
    user email address.
    * lisp/url/url-vars.el (url-personal-mail-address): Make obsolete.
    * lisp/url/url-privacy.el (url-setup-privacy-info): Don't set
    above obsolete variable.
    * doc/misc/url.texi (Customization):
    * lisp/url/url-vars.el (url-privacy-level): Update documentation
    to reflect the above changes.
 doc/misc/url.texi       |  2 --
 etc/NEWS                |  8 ++++++++
 lisp/url/url-http.el    |  4 ----
 lisp/url/url-privacy.el | 10 ----------
 lisp/url/url-vars.el    |  9 +++++++--
 5 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/doc/misc/url.texi b/doc/misc/url.texi
index 6517f858324..3a447a20559 100644
--- a/doc/misc/url.texi
+++ b/doc/misc/url.texi
@@ -1231,8 +1231,6 @@ the @file{*URL-DEBUG*} buffer.
 A number means log all messages and show them with @code{message}.
 It may also be a list of the types of messages to be logged.
 @end defopt
-@defopt url-personal-mail-address
-@end defopt
 @defopt url-privacy-level
 @end defopt
 @defopt url-lastloc-privacy-level
diff --git a/etc/NEWS b/etc/NEWS
index 491ade0c069..918c12b91d2 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1093,6 +1093,14 @@ Highlighting Tests" node in the ERT manual.
 ** URL
+*** URL now never sends user email addresses in HTTP requests.
+Emacs never sent email addresses by default, but it used to be
+possible to customize 'url-privacy-level' so that the users email
+address was sent along in HTTP requests.  This feature has now been
+removed, as it was considered more risky than useful.  The user option
+'url-personal-mail-address' is now also obsolete.
 *** 'url-gateway-broken-resolution' is now obsolete.
 This option was intended for use on SunOS 4.x and Ultrix systems,
diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index ada6341ee73..947c6517ed1 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -358,10 +358,6 @@ Use `url-http-referer' as the Referer-header (subject to 
                   (url-port url-http-target-url))
                (format "Host: %s\r\n"
                        (url-http--encode-string (puny-encode-domain host))))
-             ;; Who its from
-             (if url-personal-mail-address
-                 (concat
-                  "From: " url-personal-mail-address "\r\n"))
              ;; Encodings we understand
              (if (or url-mime-encoding-string
                     ;; MS-Windows loads zlib dynamically, so recheck
diff --git a/lisp/url/url-privacy.el b/lisp/url/url-privacy.el
index 2be77b33035..be4b063d18f 100644
--- a/lisp/url/url-privacy.el
+++ b/lisp/url/url-privacy.el
@@ -59,16 +59,6 @@
            ('tty "TTY")
            (_ nil)))))
-  (setq url-personal-mail-address (or url-personal-mail-address
-                                     user-mail-address
-                                     (format "%s@%s"  (user-real-login-name)
-                                             (system-name))))
-  (if (or (memq url-privacy-level '(paranoid high))
-         (and (listp url-privacy-level)
-              (memq 'email url-privacy-level)))
-      (setq url-personal-mail-address nil))
   (setq url-os-type
         ((or (eq url-privacy-level 'paranoid)
diff --git a/lisp/url/url-vars.el b/lisp/url/url-vars.el
index 630de7f4e43..6d7d0d3c94c 100644
--- a/lisp/url/url-vars.el
+++ b/lisp/url/url-vars.el
@@ -90,6 +90,7 @@ This is what is sent to HTTP servers as the FROM field in an 
   :type '(choice (const :tag "Unspecified" nil) string)
   :group 'url)
+(make-obsolete-variable 'url-personal-mail-address nil "30.1")
 (defcustom url-directory-index-file "index.html"
   "The filename to look for when indexing a directory.
@@ -113,18 +114,22 @@ paranoid -- don't send anything
 If a list, this should be a list of symbols of what NOT to send.
 Valid symbols are:
-email    -- the email address
+email    -- the email address (in Emacs 29 or older)
 os       -- the operating system info
 emacs    -- the version of Emacs
 lastloc  -- the last location (see also `url-lastloc-privacy-level')
 agent    -- do not send the User-Agent string
 cookies  -- never accept HTTP cookies
+Emacs 30 and newer never includes the email address in the
+User-Agent string.  If you expect to use older versions of Emacs,
+it is recommended to always customize this list to include `email'.
  (setq url-privacy-level \\='high)
  (setq url-privacy-level \\='(email lastloc))    ;; equivalent to \\='high
- (setq url-privacy-level \\='(os))
+ (setq url-privacy-level \\='(email lastloc os emacs))
 This variable controls several other variables and is _NOT_ automatically

reply via email to

[Prev in Thread] Current Thread [Next in Thread]