[emarsden]

From the README: “Stirling PDF does not initiate any outbound calls for record-keeping or tracking purposes”. Beyond auditing the code, how could a potential user verify this claim in advance, and how can a web-based app help support such a claim (in particular when the app does need to make some web requests to operate, but only to a restricted list of URLs that might be listed in a manifest along the lines of a Content-Security-Policy for instance)?

This is a concrete problem when deploying apps that need the user to “upload” some sensitive content.

[huygens6363]

Little snitch[1] can help you out when self-hosting. When not self-hosting, all bets are off and my default stance is "expect the worst".

[1] https://www.obdev.at/products/littlesnitch/index.html

Edit: LS is MacOS oriented. I'm sure there are others, but I'm not into it. I feel it should be an OS-level feature, but who am I.

[vladvasiliu]

> LS is MacOS oriented

There's opensnitch on Linux. There's also something similar on Windows but I don't remember what it's called.

[mathfailure]

TinyWall for Windows.

[arcastroe]

If you're self-hosting on kubernetes, you can set up network policies with deny-all egress rule for this deployment/pod. This would block all outward network calls.

[justsomehnguy]

> in particular when the app does need to make some web requests to operate

A web app doesn't need to make an outbound web requests to operate. A user interacting with a web is the one initiating the requests.

You can give the access to the up through a HTTP proxy and you can filter out any outbound requests from the web app or even not configuring the network routing for the server hosting that app. That leaves you with only JS initiated requests in the rendered pages of the app.

[TheCapeGreek]

That's a problem with just about any package, library or system you use in the end.

Open source runs in a large amount of trust, and we're all complicit.

[emarsden]

Sure, but these types of applications are running in a web browser sandbox, which benefits from enormous engineering resources to protect the host computer from malicious actions by the remote code. I'm wondering whether this execution environment (augmented with some policy mechanism to allow apps to declare their URL access needs, a little like an AppArmor or network firewal policy) could also provide some guarantees concerning privacy or information security.

[apexalpha]

Just put a sniffer or network capture tool like Wireshark in between. Additionally you could restrict the apps network access entirely to just your local home network.

[emarsden]

It seems that there is some missing tooling to make this convenient.

You can run a local bundle of HTML/JS/WASM in a web browser instance that you isolate (for example with firejail) to prevent network access. You distribute as a zip/tgz, but it's not obvious how to handle updates without a full redownload. Distributing with a full Electron-like interface is obviously overkill.

If you're running a web app that's hosted elsewhere (which will be much more convenient for most people), your web browser or the software isolation functionality (or firewall/proxy) needs to distinguish between the initial resource loads (approve) and later sneaky logging requests (ban).

There are Android applications such as TrackerControl that have related functionality (operates as a local VPN to filter all network requests and block tracking) but I don't know of convenient tools for the desktop (Linux, in particular).