Google Safe Browsing shows a warning on sandbox.cryptpad.info

Mathilde

I reported the issue using the form Firefox let you fill for this purpose when visiting the page.

Screenshot of Google Safe Browsing report sent

We had the same issue in the past with Microsoft Defender SmartScreen. We got the URL unblocked in a few days. However, as Google is a blackbox we can't interact with (are humans still working at Google??), there is not much we can do about it right now regarding the Google Safe Browsing issue.

The easiest, quickest workaround for this on the user side is to disable this functionality on your web browser.

For more information about where this privacy functionality comes from our side, you can read about it in our documentation: https://docs.cryptpad.org/en/dev_guide/basics.html#content-security-policy-csp-and-security

luiiuuuiiiii

Mathilde thank you, I did the same.

It's just a bit annoying when sharing a lot of links using richt text doc becomes inconvenient.

I found that it's not sandbox.cryptpad per se, it's the /bounce url.
so if the blacklist doesn't resolve (I hope it will soon..)
perhaps the workaround must be to somehow skip/change the bounce url.

HighCommander4

Mathilde For more information about where this privacy functionality comes from our side, you can read about it in our documentation: https://docs.cryptpad.org/en/dev_guide/basics.html#content-security-policy-csp-and-security

I've read the linked section, but I'm struggling to understand the connection to this issue.

I do understand that the document contents are rendered inside an iframe with the origin sandbox.cryptpad.info (and I can see this in the browser's developer tools Inspector as well). But why would that mean that links inside the document need to be bounced through that domain?

Mathilde

Hello,

luiiuuuiiiii perhaps the workaround must be to somehow skip/change the bounce url.

Skipping it isn't an option as it's a core privacy functionality of CryptPad. However, we though about changing the URL on our flagship instance.

The only issue we see with this is that it will likely end up being flagged as phishing as well by Google. Also, with the submitted reports for false-positive, they wouldn't be able to replicate the issue anymore. Ideally we would like the issue to be fixed on Google's end for good.

As mentioned in an earlier post, Google Safe Browsing services can easily be disabled client-side, directly from your web browser. If you care about your privacy, it's likely something you'd want to do anyway. Otherwise all your browsing history is automatically sent to Google on real-time, leaking quite a lot of information about yourself and/or your activities.

HighCommander4

Mathilde As mentioned in an earlier post, Google Safe Browsing services can easily be disabled client-side, directly from your web browser. If you care about your privacy, it's likely something you'd want to do anyway. Otherwise all your browsing history is automatically sent to Google on real-time, leaking quite a lot of information about yourself and/or your activities.

Note that, at least in Firefox, this is not the case (not sure about Chrome). As explained in Firefox's documentation, the list of blocked sites is downloaded from Google in bulk, and the browser's check against that list is done locally.

Mathilde

~~It seems to have been fixed on Google side~~, can anyone confirm?

luiiuuuiiiii

Mathilde it's still red on my side..

Mathilde

luiiuuuiiiii thanks for your feedback. 🙃

HighCommander4

Same here.

In any case, even if Google fixes it on their side, the question of why this bouncing is necessary in the first place remains. Would someone be able to share more information about that?

luiiuuuiiiii

HighCommander4 as I understood, this is actually exactly the step where to prevent potential dangereous link...

luiiuuuiiiii

I think a productive solution now is to (temporally) change the /bounce/ url for example to /rebond/

or use the same link behaviour as in onlyoffice document (altohough this might not be so elegant..).
link in onlyoffice

« Previous Page