Closed
Bug 108004
Opened 23 years ago
Closed 23 years ago
RFE "view HTML inline" menu item and/or toolbar icon
Categories
(SeaMonkey :: MailNews: Message Display, enhancement)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: william.allen.simpson, Assigned: sspitzer)
References
Details
From Bugzilla Helper:
User-Agent: Mozilla/4.78 (Macintosh; U; PPC)
BuildID: 201103108
need a new menu item "View HTML Inline".
However, better yet, a Eudora-like per message button on the toolbar. The
setting would be saved in the database so that that particular message would be
viewed as desired after the user had verified that they want to view the HTML
attachment(s).
As a security feature, should always default to "off". Some forms of
HTML can execute script or load images with comments that copy personal
information back to the image server.
From a security point of view, this is "Critical"!
Comment 1•23 years ago
|
||
*** This bug has been marked as a duplicate of 69529 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
verified dup
Status: RESOLVED → VERIFIED
reopening per discussion via mail with wsimpson.
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
Reporter | ||
Comment 4•23 years ago
|
||
It was never really related to #69529, except peripherally.
The recent implementation of (some) global preferences for disabling HTML display
does not provide an opportunity for reading a particular message in HTML, saving
the state of display on a per message basis.
Good security practice would be to never show HTML, until the user had reviewed
the potential behaviour, and then selected this button/menu to enable display for
the single message.
I've also been asked what would be displayed instead of HTML, which this RFE
didn't address. That was specified by several earlier reports, which I have now
added to the dependencies. (I'm sure I've missed some more.)
I still believe this is critical. Without this feature, most users will simply
turn on HTML processing, and be vulnerable to attacks. Experience shows that
unless security features are easy to use, users won't use them!
Comment 5•23 years ago
|
||
Additional Comment #3 From stephend@netscape.com 2002-02-01 11:12:
> reopening per discussion via mail with wsimpson.
wsimpson, since we discussed this per email, too, it would have been nice to cc me.
> The recent implementation of (some) global preferences for disabling HTML
> display does not provide an opportunity for reading a particular message in
> HTML
As I explained to you per email, it does. You have a relatively easily
accessible menu item (in contrast to a checkbox in the prefs window). You just
have to switch back to plaintext after reading in HTML.
It is inconvient, and you might forget to switch back, yes, but given how
obscure that feature is for the average user, more UI for it (a checkbox *and* a
menuitem) would be overkill IMO.
> Good security practice would be to never show HTML, until the user had
> reviewed the potential behaviour, and then selected this button/menu to
> enable display for the single message.
Since most users don't even understand what HTML is (let alone any potential
risk), this proposal is unworkable.
> I've also been asked what would be displayed instead of HTML, which this RFE
> didn't address. That was specified by several earlier reports, which I have
> now added to the dependencies.
That still doesn't answer my question, because the bugs you added as deps
propose different, conflicting alterntives.
I still don't know what this bug is about. Please clarify. See my mails to see
what is missing.
View HTML inline would be a part of bug 30888. Potientially a part of 28327 as
well.
I'd say it's a dupe.
Reporter | ||
Comment 7•23 years ago
|
||
Well, Dylan, long ago I probably might have agreed with you. Folks said it would
be implemented as part of #69529. It wasn't. Or maybe #30888. It wasn't.
Those are both completed now.
Since it's not yet implemented, it's not a duplicate. QED.
Ben, when implementing #69529 and #30888, you argued that the old way of viewing
message source was good enough, just "inconvient". We argued forcefully that we
needed to turn on HTML source viewing as a global preference. It's not good
enough to look at the source _after_ it has destroyed your machine or given your
email address to a spam haus.
Likewise, this is a convenience feature. It's needed to make HTML useable. If
users need to be educated about the security problems with HTML, then of course
they SHOULD be educated! Or there shouldn't be any HTML mail support. It's too
dangerous.
Remember the problems educating 4.x users about inline attachments? How they
have to read most email with the menu item turned off, and turn it on for a
message, and then turn it off again? THAT'S REALLY INCONVENIENT. USERS DIDN'T
DO IT. IT COST ISPS A BUNDLE IN SUPPORT!
Yep, this is a convenience feature.... It saves money and time.
Comment 8•23 years ago
|
||
wsimpson,
you *still* fail to define, what exactly you want in this bug. I am tempted to
just mark it INVALID, but instead, I'll try to do the work for you:
* In prefs dialog, global View As Plaintext pref (bug 30888).
* In menu or toolbar, item/button for View As Plaintext for the
current message only.
* Switch default to View As plaintext.
Is it that what you want?
> Since it's not yet implemented, it's not a duplicate. QED.
You have not yet sufficiently defined what "it" is.
Don't throw around mathematical terms, if you fail to deliver mathematical
precision in your argumentation.
> It's not good enough to look at the source _after_ it has destroyed your
> machine
For security, I suggested bug 30888, which does provide a global pref to disable
HTML viewing.
> Likewise, this is a convenience feature.
The problem with this "convience feature" is that it's not convient. Users don't
want to push a button to view the mail the way it has been composed, just for
security reasons. If users care about security at all, they want it to "just
work", they don't want it to cause more work for them, like pushing a button to
view a mail with formatting.
Netscape is not going to switch the default to plaintext (which is what you
suggest, as I understood you) and let users enable HTML on a per-message basis,
because, as mentioned elsewhere, they are pushing HTML mail.
Beonex might switch the default to plaintext anyway.
So, whom are you arguing with?
> It's needed to make HTML useable.
No, it is not. There are other approaches to make HTML more secure. E.g. bug
108153. There, you could display HTML formatting without security risk (apart
from the normal potential buffer overflows).
Comment 9•23 years ago
|
||
No answer. INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → INVALID
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•