On Fri 2015-01-23 02:21:41 -0500, David Edmondson wrote: > Whilst I think that having this knob is a good thing, I don't think that > it's a solution to the 'text/html renderers access the network' > problem. I can't sensibly (and don't wish to) disable the display of > text/html parts by default (colleagues generate too many text/html > messages to make that feasible, and I have rss2imap generate a bunch of > text/html messages that I want to see in their full glory), but would > definitely like to choose whether a message can sell me out to > advertisers. > > I'm trying to say that this is good, but let's not get into the habit of > telling someone that complains about network access that adding > text/html to `notmuch-show-always-hide-types' is the solution. I agree with this sentiment. I had been grousing earlier (off-list) about rendering html messages in general (i don't like exposing arbitrary attacker-delivered content to a complicated parser where i can avoid it), so i see Mark's patch as a useful tool to prevent that problem, not about remote network access during render. preventing network access from html-rendered messages is better handled in a workaround by (gnus-blocked-images "."), though notmuch should enforce this setting by default when rendering html parts. --dkg