Custom emojis should be uploaded to and served from the relevant GitLab instance
Currently when you add a custom emoji, we just serve that emoji image from the URL you supplied when you added it. This is problematic for a few reasons:
- The third party source for the image is not controlled by GitLab, but the UX of GitLab is our responsibility. If that image is moved, then it's our problem that our user is seeing broken images for emojis. But we have no control over that image.
- GitLab does not own that image file. There are possible copyright implications?
- GitLab does not know or control what sort of tracking the 3rd party host of that image does. Users may be tracked by the host of those emojis whenever they visit a page in GitLab that contains a custom emoji.
Proposal:
- We should allow direct file upload for custom emojis
- If we continue to allow users to add custom emojis by URL, we should download that image and host it ourselves rather than using the user-supplied URL
Edited by Chad Lavimoniere