HTML reports unnecessarily pulls content from the web - with potential privacy and security concerns #163
Description
Describe the bug
The stylesheet files and images included in the microSALT reports are gathered from various places on the web, such as GitHub and some content delivery networks (CDNs).
While this is practical for many reasons, it also means that all the accesses of microSALT reports are logged by various commercial and/or state organizations outside of Sweden, such that they can see IP-addresses and a lot of browser information about the one opening the reports, which is probably not desirable.
The biggest problem is perhaps if this information is used by evil actors to identify IP addresses where sensitive information is stored, and thus draws attention to those.
Also sometimes the viewing of a report can stall on "Establishing a TLS handshake with CDN ..." as seen in one of the screenshots below.
To Reproduce
Steps to reproduce the behavior:
- Open up a microSALT report in e.g. Firefox.
- Press Ctrl+U to view the source code of the report
- Search for "<img" or "stylesheet".
- Notice that the source of these are addresses on the web.
Expected behavior
I think it would probably be desirable that stylesheets and images where either linked to local files, or embedded in the HTML (which is possible even for png images, using base64 encoding (See e.g. here).
Screenshots
Software version (please complete the following information):
- microSALT 3.3.5