I enabled "Ctrl-click required to follow the links" and "Block links from locations not trusted". I choose the "very high" macro security and the list of trusted sources is empty.
But when I try to load the attached HTML document (see https://pastebin.com/Qn91Yi7Q), LO still try to open the connection located at the line 676.
The machine where I conduct the test cannot open external connections.
I don't know if the other external links in that file are being loaded or not.
Steps to Reproduce:
1. Launch LO with stealth mode
2. Load the file
1. LO is waiting an infinite long time (over ten minutes)
2. "netstat -a" shows a SYN_SENT to 220.127.116.11:80
tcp4 0 0 18.104.22.168.41790 22.214.171.124.80 SYN_SENT
3. lsof(8) confirms that connection orginates from LO
4. The TCP handshake cannot be completed due to the restrictions in the firewall, LO waits indefinitely.
LO should be displaying the file, maybe asking me if I want to follow the links
User Profile Reset: Yes
Build ID: FreeBSD ports 5.3.7_2
CPU Threads: 2; OS Version: FreeBSD 11.1; UI Render: default; Layout Engine: new;
Locale: en-US (C); Calc: group
$ uname -a
FreeBSD mail.cs.ait.ac.th 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #11 r326754: Tue Dec 12 11:41:24 +07 2017 firstname.lastname@example.org:/usr/obj/usr/src/sys/CSIM amd64
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2600.0 Iron Safari/537.36
Created attachment 139291 [details]
The HTML file that causes the problems
It seems LO continues trying to send new connection when the first SYN expires: after a wile I have a different netstat result (different port):
tcp4 0 0 126.96.36.199.55379 188.8.131.52.80 SYN_SENT
The line you refer to is an input field of the type image:
So you are proposing Tools - Options - LibreOffice - Security - Security options and warnings - "Block links from locations not trusted" should disable loading of external images. It's a valid request, similarly to what email clients do by default (such as Thunderbird).
I confirm I see the "Submit" image when I load the file with the high security settings.
Arch Linux 64-bit
Build ID: 26783527823883ccd5bbf3b9e014a0a3c1e3a022
CPU threads: 8; OS: Linux 4.15; UI render: default; VCL: kde4;
Locale: fi-FI (fi_FI.UTF-8); Calc: group
Built on February 16th 2018
Caolán: I was discussing this on IRC with another person and he noted your commit  concerns links inside externally loaded documents instead of any & all links. This person, too, thought the option would block any untrusted links.
How do you feel this request should be dealt with? Should the option be repurposed to this very greedy mode people are expecting?