Description: I enabled "Ctrl-click required to follow the links" and "Block links from locations not trusted". I choose the "very high" macro security and the list of trusted sources is empty. But when I try to load the attached HTML document (see https://pastebin.com/Qn91Yi7Q), LO still try to open the connection located at the line 676. The machine where I conduct the test cannot open external connections. I don't know if the other external links in that file are being loaded or not. Steps to Reproduce: 1. Launch LO with stealth mode 2. Load the file 3. Actual Results: 1. LO is waiting an infinite long time (over ten minutes) 2. "netstat -a" shows a SYN_SENT to 173.247.251.214:80 tcp4 0 0 192.41.170.16.41790 173.247.251.214.80 SYN_SENT 3. lsof(8) confirms that connection orginates from LO 4. The TCP handshake cannot be completed due to the restrictions in the firewall, LO waits indefinitely. Expected Results: LO should be displaying the file, maybe asking me if I want to follow the links Reproducible: Always User Profile Reset: Yes Additional Info: Version: 5.3.7.2.0+ Build ID: FreeBSD ports 5.3.7_2 CPU Threads: 2; OS Version: FreeBSD 11.1; UI Render: default; Layout Engine: new; Locale: en-US (C); Calc: group $ uname -a FreeBSD mail.cs.ait.ac.th 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #11 r326754: Tue Dec 12 11:41:24 +07 2017 root@mail.cs.ait.ac.th:/usr/obj/usr/src/sys/CSIM amd64 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2600.0 Iron Safari/537.36
Created attachment 139291 [details] The HTML file that causes the problems
It seems LO continues trying to send new connection when the first SYN expires: after a wile I have a different netstat result (different port): tcp4 0 0 192.41.170.16.55379 173.247.251.214.80 SYN_SENT
The line you refer to is an input field of the type image: <td align="right"><a href="javascript:GoTofff();"><INPUT onclick="return GoTofff()" border="0" src="http://icacci-conference.org/site/sites/default/files/submit_icon.gif" type="image" Value="submit"></a></td><td width="1"></td> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/image So you are proposing Tools - Options - LibreOffice - Security - Security options and warnings - "Block links from locations not trusted" should disable loading of external images. It's a valid request, similarly to what email clients do by default (such as Thunderbird). I confirm I see the "Submit" image when I load the file with the high security settings. Arch Linux 64-bit Version: 6.1.0.0.alpha0+ Build ID: 26783527823883ccd5bbf3b9e014a0a3c1e3a022 CPU threads: 8; OS: Linux 4.15; UI render: default; VCL: kde4; Locale: fi-FI (fi_FI.UTF-8); Calc: group Built on February 16th 2018
Caolán: I was discussing this on IRC with another person and he noted your commit [0] concerns links inside externally loaded documents instead of any & all links. This person, too, thought the option would block any untrusted links. How do you feel this request should be dealt with? Should the option be repurposed to this very greedy mode people are expecting? [0] https://cgit.freedesktop.org/libreoffice/core/commit/?id=0b7f4a4f57117fde33d0b1df96134aa6ccce023e