Add Kagi Search shouldn't save with session token in url

feedbackhax

When adding Kagi as search engine, it will save the URL with the session token in it.
Like the session link from the settings.

This means whenever I search something my session token pops up for a second. It is visible in the URL bar.

This means I basically can't use Kagi securely when people could film my screen, i.e., in public.

This happens only when adding the Kagi search engine from the browser ui (opensearch.xml). But it is the default way to add a search engine and it is "leaking" my session cookie in the GET parameters.

Users can avoid this by manually setting the search engine URL. But only if they notice it and know this stuff.

Since I am logged in, I don't need the session link there.

Note that I'm not saying it's a urgent critical security issue, but it is odd and should be changed IMO

feedbackhax

I get that this was built, so users that delete their cookies when the browser closes can still use this 'Add search engine "Kagi Searvh"' button, but I think it's more risky than good. People who delete their cookies can manually set the search engine URL.

Vlad

@z64 Can you expand on why we added private token there?

z64

Vlad We add it there so opening Kagi in private browsing works out of the box, since FF users cannot manually add the token in

feedbackhax

Hmm, I wonder if there's a user friendly way to do this...
Maybe you can add a special site that has the opensearch spec with the token.
And in the docs you say something like: "if you delete cookies, you need to use the session link version. To do that go to /searchwithoutcookies".

That doesn't sound appealing.

But e.g. the /html/ version of kagi also sets the html search engine, so this can be split up somehow.