Re: privacy problem: text/html parts pull in network resources

Subject: Re: privacy problem: text/html parts pull in network resources

Date: Wed, 28 Jan 2015 15:57:25 -0800

To: Daniel Kahn Gillmor, David Bremner, notmuch mailing list

Cc:

From: Jinwoo Lee

On Tue, Jan 27, 2015 at 08:44 PM, Jinwoo Lee <jinwoo68@gmail.com> wrote:
> On Tue, Jan 27, 2015 at 07:47 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> On Sun 2015-01-25 12:51:43 -0500, David Bremner wrote:
>>> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>>>
>>>> If i send a message with a text/html part (either it's only text/html,
>>>> or all parts are rendered, or it's multipart/alternative with only a
>>>> text/html subpart) and that HTML has <img
>>>> src="http://example.org/test.png"/> in it, then notmuch will make a
>>>> network request for that image.
>>>>
>>>> This is a privacy disaster, because it enables an e-mail sender to use
>>>> "web bugs" to tell when a given notmuch user has opened their e-mail.
>>>
>>> I've just pushed Austin's shr related series to master, so this problem
>>> should be fixed as of commit b74ed1c. One tradeoff that we should at
>>> least remark in NEWS, if not actually fix, is that I think there is now
>>> no way to view such images in notmuch.  I don't know offhand what other
>>> html renderers will do.
>>
>> thanks for this, David and Austin!
>>
>> Other html-rendering mail clients that are privacy-conscious will often
>> provide a button or mechanism to indicate that some remote resources
>> were requested by the page but weren't fetched (e.g. a button saying
>> something like [Load Remote Images...]).  I have no idea who actually
>> clicks on those buttons (or why), though, and even if we wanted them,
>> we'd only want to add a button on an image that actually had remote
>> network resources to load, and i don't know how we'd get that
>> information propagated back up the rendering stack to make such a
>> display decision.   So i'm fine with leaving it this way for now.
>
> Well, most promotional emails contain remote images and their contents
> are incomprehensible without those images.  I ignore most of them but I
> do read a few of those promotional emails.  It would be great to have a
> UI for loading remote resources.

Do you mind if I add a boolean defcustom, which determines whether to
block remote images?  Its default value will be T (block), but people
who want to see remote images can customize it.

>
>>
>>         --dkg
>> _______________________________________________
>> notmuch mailing list
>> notmuch@notmuchmail.org
>> http://notmuchmail.org/mailman/listinfo/notmuch

Thread: