Closed Bug 1530593 Opened 5 years ago Closed 5 years ago

RSS <link> opens in Thunderbird and executes JavaScript

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 524281

People

(Reporter: u625633, Unassigned)

Details

What did you do? (steps to reproduce):

There seems to be some effort to make sure that external and remote content isn't executed within the Thunderbird browser component.

Looking at this paper from 2006 written by SPI Dynamics: Feed Injection in Web 2.0 I can thankfully say that I wasn't able to reproduce any of those issues however I did decide to try something else:

Example RSS item:

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">

<channel>
    <title>Test RSS feed</title>
    <link>http://localhost</link>
    <description>Test Page</description>
    <item>
        <title>RSS Item 1</title>
        <link>http://localhost/rss/popup.html</link>

        <description>
            <![CDATA[
            <img align="left" hspace="5" src="https://upload.wikimedia.org/wikipedia/commons/6/66/SMPTE_Color_Bars.svg"/>

            <script type="text/javascript">
                document.write('This JavaScript is **not** being executed');
            </script>
            ]]>

            <![CDATA[
                This some HTML <b>boldness</b> to show HTML works.
            ]]>
        </description>
    </item>
</channel>
</rss>

The HTML page from <link>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8"/>
    <title>Popup</title>
</head>
<body>
    <script type="text/javascript">
        window.alert("A Wild popup appears!");
   </script>
</body>
</html>

What happened? (actual results):

When I created a RSS item and double clicked on the RSS item in the thread pane, the <link></link> item was opened within Thunderbird and the JavaScript was executed.

What should have happened? (expected results):

I don't believe this is the correct outcome. I'd far rather it open in my browser where I have control over what happens, uBlock Origin, uMatrix etc.

Certain people in the past have suggested toggling the about:config option javascript.enabled, however JavaScript is necessary for other things such as the auto configuration options that allow a provider to specify if it supports OAuth2 and allow a user to provide their 2FA code. Toggling such a global setting would actually reduce security overall.

I attempted to also try these various options, and it would appear that they have no effect. The "View > Message Body As" option does still work. That's not really helpful when I want to make sure that something always opens in a particular way.

/* 6208: What classes can process incoming data.
 * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
 * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
 * [1] https://www.privacy-handbuch.de/handbuch_31j.htm ***/
user_pref("rss.display.disallow_mime_handlers", 3);

/* 6209: How to display HTML parts of a message body
 * (0=Display the HTML normally (default), 1=Convert it to text and then back again
 * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
 * (in trunk builds later than 2011-07-23)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=602718
 * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
 * [3] https://www.bucksch.org/1/projects/mozilla/108153/ ***/
user_pref("rss.display.html_as", 1);

/* 6210: Prefer to view as plaintext or html
 * true=Display a message as plain text when there is both a HTML and a plain
 * text version of a message body
 * false=Display a message as HTML when there is both a HTML and a plain text
 * version of a message body. (default) ***/
user_pref("rss.display.prefer_plaintext", true);

It should also be noted that in the above example:

<img align="left" hspace="5" src="https://upload.wikimedia.org/wikipedia/commons/6/66/SMPTE_Color_Bars.svg"/>

Will 3rd party content will be displayed even though it is remote content.

I believe this should act the same as it does with HTML emails as this could be used as a tracking beacon.

It should also be noted that those user_prefs are not implemented for RSS feeds despite being exposed so that observation is covered by bug 458606.

It is entirely by design that opening a feed item's link displays the web page in the message pane, and for web pages javascript is allowed. It's governed by the same content sandboxing as content displayed in firefox. Popups and alerts are legal and don't demonstrate anything. If you can demonstrate web page script running privileged code, certainly attach the proof. If you want to open feed links in the default browser, set the pref to 3.

// Feed message display (summary or web page), on open.
// Action on double click or enter in threadpane for a feed message.
// 0 - open content-base url in new window
// 1 - open summary in new window
// 2 - toggle load summary and content-base url in message pane
// 3 - load content-base url in browser
pref("rss.show.content-base", 0);

Ad blocking extension uBlock partially works in the latest Tb but web extensions apis are not fully enabled yet, though there is work ongoing in both Tb and uBlock. I agree this is very important:
https://github.com/uBlockOrigin/uBlock-issues/issues/194#issuecomment-455824768

Viewing feed summaries is governed by the same options as mail messages; separating the prefs out was not implemented and in any case would not apply to a web page. The pref code you inlined is not even from the current codebase.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

Ah, thanks for the reply. Ah I see why that bug didn't come up when I searched for it.... I searched for "rss" and that's not in the bug summary for 524281 😀

Popups and alerts are legal and don't demonstrate anything.

Yeah, I wasn't trying to demonstrate anything other than it could be annoying because at the moment there's either javascript.enable=false or everything. I am one of these people who uses uMatrix and I like to block 1st party JavaScript by default.

For the time being I'll use rss.show.content-base=3. Is this exposed in the UI anywhere? I think it probably should be.

Ad blocking extension uBlock partially works in the latest Tb but web extensions apis are not fully enabled yet, though there is work ongoing in both Tb and uBlock. I agree this is very important:
https://github.com/uBlockOrigin/uBlock-issues/issues/194#issuecomment-455824768

Ah yes, I saw that some time ago and this will be awesome. It will make a lot of people happy.

Viewing feed summaries is governed by the same options as mail messages; separating the prefs out was not implemented and in any case would not apply to a web page.

That was more of a separate issue, such as an img src link to a remote server. I expected it to behave the same as in an email and be governed by "Preferences > Privacy > Allow remote content in messages" and the warning that pops up about remote content like you get when someone does that in the body of a HTML email. Like email <script> tags in the contents of a <description> which are ignored.

The pref code you inlined is not even from the current codebase.

I had tested that with Thunderbird 65.5.1. I thought comm-release was the current codebase. Those options still seem to be in comm-beta. Maybe they shouldn't be exposed in about:config if they don't actually do anything 😉.

(In reply to Tylera A from comment #4)

For the time being I'll use rss.show.content-base=3. Is this exposed in the UI anywhere? I think it probably should be.

It's now exposed and documented in the Learn More link guide.

You need to log in before you can comment on or make changes to this bug.