Passwords App uses third party connection -> is that really necessary?

Hi Devs ,

I just wanted to ask why that is and if that is really necessary because now I block third parties:

Here a screenshot:



Just for me, can you please post what is requested there? E.g. in Firefox press Ctrl+Shift+E then renew the page and should be able to see request to the github that was blocked by uMatrix.


Not really nice or nessesary. I found this for you:

If you are running an outdated version of Passwords, the handbook may be inaccurate.
Since the handbook resources will be fetched when they are requested, the handbook domain ( will be whitelisted in the Content Security Policy of the app.

I post an issue for you:

1 Like

@florom Thanks for asking your question here in the forum instead of abusing the issue tracker as a “let me speak to the manager” button.

@devnull No thanks for then doing exactly that.

The handbook contains quite a lot of images, videos and other files. It is also updated more often than the app. This is why it is not shipped with the app and instead hosted elsewhere.

Of course i am aware that some users rightfully do not like the idea of having requests to Microsofts GitHub in their Nextcloud. Other users may also have an interest in serving a version of the handbook that is tailored to their users.

This is why the admin manual contains a section explaining how to host the handbook on your infrastructure.

As an added bonus, this even allows you to enable hidden features within the app for your users.


Yes. But is one http-request always send to or not? I think this is not nessary like using two-click-solutions for Facebook & Co to deny tracking.


Hi gas85,

devnull answered that.
Nevertheless imho for me it is irrelevant what it wants from Github. There should not be a connection in default settings possible.

Hi @mdw ,

If I post an issue on the issue tracker it is certainly not a “let me speak to the manager” button. I think it is a defect in the app or an enhancement for the app where everyone can benefit from.
Like the issue ('s) I posted before. I did not talk about the “framework” and I am certainly not proposing any strategy changes which would be “the management thing”.
Defects are part of development sometimes the developer encounters them and sometimes users.

I had three reasons why I posted it here and not in the issue tracker:

1, If somebody else wonders about that he gets this post. I somehow suspected that this is by design and will not be changed cause of my post.
2, I wanted the users to be aware that there is imho a privacy breach where users have to talk to or do admin work to get this fixed manually even if everything is installed on default.
(My meaning of Default in Nextcloud: I see Privacy above all. Even performance, comfort, usability and sometimes if it contradicts security too. There are lots of apps where privacy is not first choice and therefore can focus elsewhere.)
3, As user, and not developer, I wanted to know if somebody cares and/or read another opinion on this issue.

It is not my definition of Default and Privacy. Like @devnull suggested there could be two steps for the handbook when users really need the handbook. Nevertheless hosting the handbook on own hardware is possible, the advantage of getting it updated on time is gone.
It is a bit tricky too the URL has to work otherwise it will make a connection to github. So I need another working website soley for the handbook. I have not done that so this text might not be reliable.

Thanks for the hint, but a rarly use hidden features cause if something goes wrong I could loose a lot of passwords or will not have access to it in time of need.

I am sorry that the issue @devnull posted is already closed.

1 Like

That was actually directed at the issue that was opened and did not follow the feature request form and was not understandable without this (linked) post. That was effectively summoning me here just two hours after the post was opened, just to find out the the requested feature already existed. I should have been less passive-aggressive about this tough.

That aside, i had the time over the winter holidays to look into where the request comes from. The handbook itself should only make requests when the user actively opens it. It was caused by a hidden feature - the tutorial and the end-to-end encryption. So with 2021.1.0 the featureset data is delivered by the server instead. The server fetches this data from the handbook url at max once a day. You can also now disable the feature management entirely as described in the wiki article linked in a previous post.

The handbook and the apps section still do make a request to the handbook url when opened as they are both updated more regularly than the app.


There is now a new app which hosts the handbook as app on your nextcloud server.


Hi @mdw ,

I am positivly surprised that this was not forgotten.
Great Work.

As soon as I upgrade to nc23 I will give it a try.