Bug 421886

SUMMARY
On a website (example below) where plasma-browser-integration finds an art for the currently playing media, the add-on does send the URL for this art using MPRIS to the desktop environment, which is quite a nice feature. However this feature introduces issues which are not stated in the description of the addon. Per definition, the desktop environments trusts these URLs to get a proper art URL because these URLs come from application the user should fully trust. If plasma-browser-integration is installed, it allows any webpage you visit to let the desktop environment download and open the URL it wants to. This leads to following issues:
- This request is outside the expectation of any user who does not know how MPRIS works.
- The protections the browser is using (using a proxy, using HTTPS only, only connect to trusted thirdparty domains) may not apply to the desktop environment. In case of circumventing a proxy or a HTTPS-only rule, the privacy of the user may be at a higher risk.
- The server getting the request from the desktop environment may now know which environment the user runs on his system due to the 'User-Agent' header. The common user only expects that the kernel and browser may be known to the server.
- If the browser is running with further restrictions (AppArmor, SELinux, snap, …), these restrictions may not apply to the desktop environment requesting the art.

STEPS TO REPRODUCE
1. Open a webpage embedding a video with a thumbnail in your browser (example: https://www.youtube.com/watch?v=tPDF3LMG_q8). In my example you need to start playing the video.
2. Open the media player widget of Plasma to ensure the thumbnail is shown (indicates remote request for thumbnail)
3. Run `playerctl metadata` (requires https://github.com/altdesktop/playerctl/) and search for an entry like below (verifies remote source of art, URl may change):
`plasma-browser-integration mpris:artUrl https://i.ytimg.com/vi/tPDF3LMG_q8/hqdefault.jpg?<ADDITIONAL-GET-PARAMETER>`

EXPECTED BEHAVIOR
I expect & recommend that either no art url is shown, only trusted domains (for the art URL, not the webpage itself!) are downloaded or the browser downloads the art to a cache directory where the desktop environment can load it. This would limit the attack vectors massively and either let users decide where their data (about the desktop environment) goes or it even is not required.

SOFTWARE/OS VERSIONS
Kernel: Linux 5.6.0-1-amd64
OS: Debian GNU/Linux Bullseye/Sid
(available in About System)
KDE Plasma Version: 5.17.5
KDE Frameworks Version: 5.62.0
Qt Version: 5.12.5

ADDITIONAL INFORMATIONS
I discovered this issue because due to a video embedded into a website my plasma-desktop crashed repeatedly until the site was closed or the plasma-browser-integration was disabled. I could not find the page again to research why Plasma kept crashing (if I find a similar case, I will append the URL to this issue). Plasma was showing a certificate issue because I temporarily trusted the certificate of the server in my browser but not in Plasma. But this issue should focus on the general security & privacy issues of this otherwise great feature.