add SECURITY.md
This commit is contained in:
Damien Elmes
parent
1cd911ab63
commit
013d410bd8
27
SECURITY.md
Normal file
27
SECURITY.md
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
|
Anki does not currently have a bug bounty program, but if you have discovered a
|
||||||
|
security issue, a private message on our support site would be greatly
|
||||||
|
appreciated. No account is required to post a message:
|
||||||
|
|
||||||
|
https://anki.tenderapp.com/discussion/new
|
||||||
|
|
||||||
|
## FAQ
|
||||||
|
|
||||||
|
### Javascript on Cards/Templates
|
||||||
|
|
||||||
|
Anki allows users and shared deck authors to augment their card designs with
|
||||||
|
Javascript. This is used frequently, so disabling Javascript by default would
|
||||||
|
likely break a lot of the shared decks out there. That said, the default may be
|
||||||
|
changed in the future.
|
||||||
|
|
||||||
|
The computer version has a limited interface between Javascript and the parts of
|
||||||
|
Anki outside of the webview, so arbitrary code execution outside of the webview
|
||||||
|
should not be possible.
|
||||||
|
|
||||||
|
AnkiWeb hosts its study and editing interface on a separate ankiuser.net domain,
|
||||||
|
so that malicious Javascript on cards can not trigger endpoints hosted on the
|
||||||
|
main site. If you've found that not to be the case, or found an instance of JS
|
||||||
|
not being filtered on the main site, please let us know.
|
||||||
Loading…
Reference in New Issue
Block a user