[Bug]: Including reverse proxy like this is a huge security liability + bugs

[nickheyer]

Checklist

• The issue exists after disabling all extensions
• The issue exists on a clean installation of webui
• The issue is caused by an extension, but I believe it is caused by a bug in the webui
• The issue exists in the current version of the webui
• The issue has not been reported before recently
• The issue has been reported before but has not been fixed yet

What happened?

Began debugging why I was able to access service from an internal ip (docker net) but not via my own traefik proxy, and then realized I could also access it from a *.gradio.live url given that the docker template I was using had a share flag included in the entrypoint.

Steps to reproduce the problem

Start webui.sh without understanding the security risks of opening a connection to an arbitrary url.

What should have happened?

Do not package a reverse proxy server with this application and then expect people to install it on their home pc's. It's a liability, regardless of your intention. Even inside of a container ecosystem, this is a security risk given that the user didn't configure it themselves. This is potentially a vector for many now insecure devices, and this is not some novel concept.

There are plenty of exploits posted around the web for gradio.live specifically, but allowing users to unknowingly add a --share without likely understanding that implication is extremely careless at best. Consider removing the ability to proxy gradio all together. Consider including a readme with instructions on how to properly set up a secure reverse proxy themselves using nginx + best practices.

What browsers do you use to access the UI ?

No response

Sysinfo

Ubuntu Server x86_64 (or any other operating system)

Console logs

None.

Additional information

No response