-
Notifications
You must be signed in to change notification settings - Fork 26.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Hidden call to https://fonts.googleapis.com in style.css #14553
Comments
Ehm ... trolling?
The reason why "google is informed", is to get the font and not how, why or what it is used for.
Ehm ... yes, because that's how computers interact in a network.
Sorry, that is just plain BS. You have obviously absolutely no clue about "security". To this day, not a single person can explain what the problem is when a computer, like millions of others every day, requests a file from another computer.
This is not a "security hole", this is just downloading of recent resources. You can cut this off, but then have to manually update this file when an update requires it.
Probably the Jehovah's Witnesses who want to monitor what you do with the thing ... I would suggest you start to learn how computers work, how networks work, how computers communicate in those networks, what "security" means in this context and how web development/programming works. BTW, did you know, that your OS creates hundreds of connections each day and downloads files from Microsoft ... ? |
I agree that it sounds alarming, even though there are no actual threats. Regarding the .js file, I believe it is officially hosted, and there is no immediate threat from external changes. |
Wow, remarkable.
My honest conclusion is that you have neither read, or understand what the point was, therefor I suggest you let it go. Your passive aggressive way of answering is not helpful here. p.s. chances are high some people using webui do not use Microsoft for these reasons, think before talking. |
that has been in the code for some time stable-diffusion-webui/style.css Lines 1 to 3 in cf2772f
and it is intended to fix stuff read the PR #10324 for reasons I'm not sure if those codes are still necessary but that's the origin intent note we are in the progress of switching to gradio 4.x see PR #14184 |
It accesses the internet to stay up to date. If you don't want that, pull the plug of the network cable and it still works. But this doesn't change how all this works. |
No, but it seems you also don't know about the things and how they work, do you?
Really? I don't add to a non-existent issue but explain how it works? Wow ... And I want you to quote the exact words of my insulting or the swear words I used.
There is no issue. But feel free to explain about what "high security and secret" data we are talking about here when a computer gets (font) files from another computer. Please enlighten us.
Because it's convenient? If you don't like it, copy the font files to your computer (careful!! You have to access another computer to do that!) and remove the line in the CSS. Doing all manually is a way, but nothing worth to open an issue report here and falsely taking about security threats or even use words like "spyware".
So you admit therefor that this "issue" isn't an issue, can be fixed blindfolded, and isn't worth an issue report? Thanks ... so why do you get on my nerves then instead of telling the TO?
Quite the contrary. The point is, there is no point. In his inexperience, the TO has labeled a perfectly normal technical process as highly dangerous, thereby scaring other inexperienced people to a high degree and unnecessarily. That is simply not acceptable.
Oh, of course ... MS has the only OS that sends, receives and reports files to a server, right ... how stupid of me ... |
I'm undecided if I go on with this feud with the troll, or let it go, since it doesn't add to the issue. |
Forgive the dumb American: What regulations? Specifically? In some sense i think i agree with you, I support you (and all other europeans) going and downloading openwrt onto your router, blocking all web requests to internet tech giants, so that only the chinese manufactured hardware your are running can report your data back to the CCP. Like at what level is the security risk acceptible to you? I'm curious how you learned about AI without using these giant tech companies like google, twitter, and reddit? OH NO! you posted a bug report about AI on microsoft owned github!!! Now the EU is going to track you down and imprison you since you admitted to using AI! Reccomend wontfix since bug is existential and beyond scope of this repo. |
Threat modelling, as the name suggests, is not about responding to current attacks (which would be illegal and considered criminal conspiracy if such anti-AI laws already existed) but rather about identifying and taking countermeasures against potential attacks. Clearly, some users are afraid of such attacks and there is no meaningful reason why this UI should connect to Google's server at any time. We can run this software on isolated virtual machines, use firewalls and whatnot, or this font could simply be bundled together with the software. There is basically no need for presenting your political or otherwise non-technical views that are not contributing to issue resolution. |
as of 2f98a35 webui no longer loads fonts form google fonts, insteds download them form https://github.com/AUTOMATIC1111/stable-diffusion-webui-asset on webui install and is served to the webpage frount end provided that you are using the "Default theme" notice: if this post continues to deteriorate this post will be locked |
Checklist
What happened?
The file style.css contain a call to https://fonts.googleapis.com to retrieve fonts. Do we have a reason to inform google when we launch webui? A non secured browser will send to google the following information about each webui users.
Is this really necessary? In security terms that enter in spyware category.
I found also another security hole like that with the file iframeResizer.contentWindow.min.js is downloaded from https://cdnjs.cloudflare.com/ajax/libs/iframe-resizer/4.3.6/iframeResizer.contentWindow.min.js each time webui start
Called by the built in extension canvas-zoom-and-pan
I also found another call to play.google.com, not identified at this time if it come from an extension or from the webui
Steps to reproduce the problem
...
What should have happened?
...
What browsers do you use to access the UI ?
No response
Sysinfo
...
Console logs
Additional information
No response
The text was updated successfully, but these errors were encountered: