Open Bug 1680499 Opened 6 months ago Updated 1 month ago

Notify the user about conditional CSS in email, allow the user to strip or keep

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: KaiE, Unassigned)

References

Details

Kai Engert (:KaiE:)

Reporter

Description

•

6 months ago

If we receive or compose an HTML email, we have the choice to either keep CSS conditional rules (and be vulnerable to attacks as described in bug 1530106), or to strip CSS conditional rules and have a degraded display like describe in bug 1659362 and its duplicates, and possibly corrupted message contents caused by bugs, such as bug 1675507.

This bug suggests to address the issue by involving the user.

Potentially we could notify the user whenever reading or composing an email that contains conditional CSS, and ask the user for their decision.

Potentially the notification could be stronger whenever a digital signature (S/MIME or OpenPGP) is involved.

Magnus Melin [:mkmelin]

Updated

•

1 month ago

Priority: -- → P2

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Notify the user about conditional CSS in email, allow the user to strip or keep

Categories

(MailNews Core :: Security, enhancement, P2)

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated