Re: web interface to notmuch

Subject: Re: web interface to notmuch

Date: Thu, 19 Oct 2017 16:13:38 -0400

To: Brian Sniffen

Cc: Matthew Lear,

From: Daniel Kahn Gillmor

On Thu 2017-10-19 16:00:33 -0400, Brian Sniffen wrote:
> I don’t think they can be sanitized. Web tech moves so fast.

well, there are at least a handful of python modules that claim to do
some sort of sanitization.

in debian alone, we have at least:


so, one approach would be to just adopt one of them, and then it's their
fault if it breaks :)

I'm not saying it's a great approach, but it seems better than the
current situation where no sanitization is done at all.

> But maybe they can be isolated. GMail uses a separate domain for the
> content from the UI; I have hopes about response headers and iframe
> attributes.

That's an interesting approach too, though it doesn't isolate message A
from message B, which is a distinct concern.  The worry isn't just that
the content could take over the UI, right?

Maybe isolation and sanitization can be used in combination?  even if
neither of them are perfect, it'd be a damn sight better than pipermail

> Also, if the whole site’s static—not just the nmweb part—you probably
> can’t hurt much.

depends on what kind of harm you're talking about -- i think the privacy
harms are potentially pretty serious.  The public library is static, but
if reading one book meant that you ended up reporting on your future
reading habits (of any book) to some unknown third party, that would be
pretty bad.

signature.asc (application/pgp-signature)
notmuch mailing list