couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: Newsfeed IFRAME in Fauxton and IP collection
Date Wed, 24 Jun 2020 08:37:51 GMT
Thanks ermouth,

I’m surprised my proposal made it through without discussion. I have the
same question ;D

FWIW, this “leaks” the browser connection to the internet, not necessarily
CouchDB instance data.

For a production version of this, I would at least expect an opt-in button
on that page, before loading remote content.

My PR was meant to start this discussion :)


> On 24. Jun 2020, at 10:33, ermouth <> wrote:
> Since I hadn’t received any answer at Github, I’d like to raise an
> important CouchDB Fauxton security question publicly.
> One of the latest Fauxton PRs (
> adds a remote newsfeed
> to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to
> IP collection of CouchDB instances (or subnets, that is even worse)
> somewhere.
> Where is this ‘somewhere’ located? Pinging shows it points
> to, which seems a bit ridiculous. CouchDB instances are
> not uncommon for very critical parts of infrastructure and security
> projects, and I doubt anyone wants to expose node IPs to _whatever_ logs,
> esp
> So I’d like to ask devs and users: does anyone think adding news to the
> admin panel worth creating such a security hole?
> ermouth

View raw message