On Sun 2015-01-25 12:51:43 -0500, David Bremner wrote: > Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > >> If i send a message with a text/html part (either it's only text/html, >> or all parts are rendered, or it's multipart/alternative with only a >> text/html subpart) and that HTML has <img >> src="http://example.org/test.png"/> in it, then notmuch will make a >> network request for that image. >> >> This is a privacy disaster, because it enables an e-mail sender to use >> "web bugs" to tell when a given notmuch user has opened their e-mail. > > I've just pushed Austin's shr related series to master, so this problem > should be fixed as of commit b74ed1c. One tradeoff that we should at > least remark in NEWS, if not actually fix, is that I think there is now > no way to view such images in notmuch. I don't know offhand what other > html renderers will do. thanks for this, David and Austin! Other html-rendering mail clients that are privacy-conscious will often provide a button or mechanism to indicate that some remote resources were requested by the page but weren't fetched (e.g. a button saying something like [Load Remote Images...]). I have no idea who actually clicks on those buttons (or why), though, and even if we wanted them, we'd only want to add a button on an image that actually had remote network resources to load, and i don't know how we'd get that information propagated back up the rendering stack to make such a display decision. So i'm fine with leaving it this way for now. --dkg