SPOOFED: Re: <META> overloading...

[James Tomasino]

On 5/29/20 3:10 PM, colecmac at protonmail.com wrote:
>> I think we need to rule out the equivalent of
> All existing clients rule this out, I don't see the issue. As long as
> clients continue not to execute arbitrary Javascript, it should be fine.
> 
> makeworld

More-so, I think we just keep beating people over the head that
text/gemini is a text document format and links *MUST* not be prefetched
or loaded without user interaction. They should also be inspectable in
some way so the user knows where they lead.

These are security things, not a matter of convenience and pretty
display. An image link pointing to a tracking pixel shouldn't auto-load.
A data link trying to run an arbitrary script should be seen for what it is.

I'd suggest that be made extremely clear in the spec itself. *Can*
someone build a client on gemini that doesn't follow that rule? Sure!
There will be crawlers running through its space doing exactly that, but
a client for users should respect their users.