Just found this amazing software since I want to ditch Evernote because they started to bloat they software, but is there going to be a browser plugin for Joplin? Like Evernote has, to clip a web page article, snapshot etc and put it directly in the main program.
Like the webclipper? Its available in both Chrome and Firefox flavours.
Speaking about the Web Clipper, Daeraxa, does the web clipper - while taking text and images and move them into Joplin - strip ANY active content (regardless of whether this active content could cause security issues in the Joplin or not) ?
Hello @Daeraxa, Thanks for your answer, that helps. Would you say that this is "dependable" in the sense that it will rather filter "too much" out than "too little" ? Or is there a chance, since it is not built as / meant as a "firewall" ... that through the webclipper a Joplin profile could get "infected" ?
@ajay I for one would encourage you to add some careful filtering straight in the browser, like ublock origin, etc.
You can always end up with dodgy links being recorded but things like scripts, XSS and malicious JS shouldn't get recorded.
You bet I do, ... but thank you for the reminder
@Dearaxa, I assume you said "shouldn't " because you didn't develop the webclipper. And I realize the complexity of the issue and the possibility that even with well intended and well written code one can never be 100% sure. But before some other innocent user turns the webclipper on, I think such a discussion is worth it. In IT there are always two mutually exclusive goals : convenience - data security. Joplin (tries to) finds a very good middle-ground, but the cautious or security-concerned user will turn of this feature OFF.
I did indeed say shouldn't because new security vulnerabilities can be found all the time. I'm not sure what sort of discussion can or should be had that hasn't been had before and patched out within Joplin. What kind of exploit are you worried about that hasn't been addressed already?
Your question is fully justified. But my approach is different. It is not a specific threat and how to address it, it is about
a) has the web clipper interface been designed with data security a very high priority (and not just high convenience) ?
b) if not or not yet - is this sufficiently communicated to (non-IT-background) users, who apparently care about data security (otherwise they would not have moved to Joplin and E2EE)
c) under what circumstances is it better for these users to NOT use the webclipper at all.
It is all about educated, smart choice.
Thanks for discussing the subject with me !!!
Everything is designed this way, this is always a priority for us. That's why for example I've implemented this workflow to authenticate the web clipper from the app.
But in general the clipper is secure because we get the data directly from the browser DOM, and that has already been processed and secured by the browser.
That being said, if you're in a context where you have highly sensitive data and you're likely to be targeted then indeed it's always better to turn off as many features as possible, not just in Joplin. One advantage with Joplin is that we generally allow any feature that pull external data to be disabled.