[cups.general] Open url in browser on print send

alet at librelogiciel.com alet at librelogiciel.com
Fri Oct 16 13:24:13 PDT 2009 

On Fri, Oct 16, 2009 at 09:44:47AM -0700, Michael Sweet wrote:
> On Oct 16, 2009, at 12:41 AM, alet at librelogiciel.com wrote:
> > On Thu, Oct 15, 2009 at 10:08:15PM -0700, Michael Sweet wrote:
> >> On Oct 15, 2009, at 7:57 PM, Lachlan Macwhirter wrote:
> >>
> >>> Hi, apologies if this should be in a different forum. I have a
> >>> printer set up in cups that I can send too via ipp. Would it be
> >>> possible to have jobs sent to this printer return a url to the
> >>> sender and have the sender open that url in a browser?
> >>>
> >>> Basically want to print the job, have the printer render the job as
> >>> an image and return a url to the sender pointing at that image.
> >>
> >> Sorry, but that's not possible through CUPS.  You can define an RPC
> >> mechanism for a backend to talk to a user application, but that
> >> generally would only work on the local system and you'd need to be
> >> sure you are talking to the owner of the job (unless you don't care
> >> about privacy issues...)
> >
> > I respectfully disagree : any backend already knows the jobid, print
> > queue name (and user name), so can retrieve the job-originating-host-
> > name
> > and job-originating-user-name attributes for a job through a single
> > IPP_GET_JOB_ATTRIBUTES query to http://localhost:631
> >
> > Once these values are known, your backend can interact with a client
> > side application which expects incoming connexions from the print
> > server (your backend).
>
> Note that, as a side-effect of allowing Samba and cups-lpd to provide
> their own remote host information, job-originating-host-name can be
> spoofed from the local system.  Therefore, it should not be relied
> upon for this sort of thing.
>
> Similarly, the job-originating-user-name can be spoofed (although you
> can require authentication to make that less likely), so you have to
> be careful about relying on that information as well.

You are right. These restrictions can probably be at least removed in a
controlled environment : allow clients to print directly to
http://server:631, and disable samba and cups-lpd

> Regardless, you would still want to ensure that the desktop you are
> talking to has the specified user logged in, otherwise you're showing
> potentially sensitive information to someone else.

Then the url sent to the client machine through a specific backend +
client side application should probably lead to an authentication
restricted area, with the identification form pre-filled with the
username retrieved from the backend.

bye

Jerome Alet

More information about the cups mailing list