I have a fix for this on shr buried deep in an old patch series that I never got back to: id:1398105468-14317-12-git-send-email-amdragon@mit.edu For shr, the key is to set shr-blocked-images to ".". However, IIRC, in the current notmuch message rendering pipeline, mm overrides this variable with something computed from gnus-blocked-images. That said, I'm not sure why gnus-blocked-images isn't *already* taking care of this, but that's probably the place to start digging. Quoth Daniel Kahn Gillmor on Jan 21 at 4:00 pm: > If i send a message with a text/html part (either it's only text/html, > or all parts are rendered, or it's multipart/alternative with only a > text/html subpart) and that HTML has <img > src="http://example.org/test.png"/> in it, then notmuch will make a > network request for that image. > > This is a privacy disaster, because it enables an e-mail sender to use > "web bugs" to tell when a given notmuch user has opened their e-mail. > > It's also a bit of a consistency/storage/indexing disaster because it > means that what you see when you open a given message will change > depending on the network environment you're in when you open it. > > It's also potentially a security problem because it means that anyone in > control of the remote server (or the network between you and the remote > server if the image isn't sourced over https) can feed arbitrary data > into whatever emacs image rendering library is being used. (granted, > this is not a unique problem because this can already be done by the > original message sender with a multipart/mixed message, but it's an > additional exposure of attack surface) > > I just raised this on #notmuch, and i don't have the time or the > knowledge to look into it now, but i think the defaults here need to be > to avoid network access entirely unless the user explicitly requests it. > > --dkg > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > http://notmuchmail.org/mailman/listinfo/notmuch