Closed Bug 28327 (ImgInMail) Opened 25 years ago Closed 20 years ago

No server hits at HTML mailnews reading - privacy (disable remote content/web-bugs)

Categories

(MailNews Core :: Security, defect, P3)

Product:
MailNews Core
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: BenB, Assigned: mscott)

References

(Blocks 2 open bugs)

Details

(Keywords: fixed-aviary1.0, helpwanted, privacy, Whiteboard: [need info])

Attachments

(4 files)

Evaluations mail settings..
20.44 KB, image/jpeg
Details
html stripping in Mail.app
151.24 KB, image/jpeg
Details
Information tracked when reading a mail with remote contents.
18.66 KB, text/html
Details
the fix
697 bytes, patch
Details | Diff | Splinter Review
Spammers may insert and invisible IMG tag into a HTML mail page, which loads an URL, which contains information about the recipient, e.g. allows to tracking reading of msgs. This is a privacy issue. It's especially bad together with bug #22994, but not limited to it.
Should better be implemented as pref (with default=no hits?), as there may be legal applications in an intranet.
Summary: No server hits for at mailnews reading → No server hits at mailnews reading
What, you mean you don't like receiving a webpage by e-mail! :-( By blocking images in e-mail (which is what this report is advocating), you will lose that ability. In essense, you will be destroying the browser's file/send-page command.
webpages by e-mail should be sent using multipart/related. Or one should send a link and have the user click on the link.
Summary: No server hits at mailnews reading → No server hits at mailnews HTML reading
Summary: No server hits at mailnews HTML reading → No server hits at mailnews HTML reading - privacy
Agreed, "Send page" should include images in the mail - otherwise I loose the ability to read my mail offline.
I think *any* URL can be abused this way. I doubt it's safe to assume that any network connection initiated from mail is secure and/or private.
The "HTML" I put in the summary is meant to refer to the type of mail containing the URL. I'm trying to make this bug visible to people searching for issues with HTML mail.
Summary: No server hits at mailnews HTML reading - privacy → No server hits at HTML mailnews reading - privacy
I believe that there is widespread support outside of Netscape for preventing the mail client from making any network connection whatsoever except to the mail server. Another way to picture this is just an automatic way of toggling online/offline when switching from browser to mail. For some reason Netscape and Mozilla are fiercely resistant to this idea, but I haven't heard anyone outside of Netscape voice any opposition.
> Another way to picture this is just an automatic way of toggling > online/offline when switching from browser to mail. No, this is a violation of multitasking. Statisically, mails are the second largest "out-of-band" source for URLs. All I want is to disable network traffic (other than to the mail server) caused by mail reading *itself*. Otherwise, we can disable URL recognition as well.
That is what I meant, I just left out the *itself* part. I should've been a little clearer.
I feel this should ultimately be performed by a bug #7380 type arrangement, which prompts by default. The prompts should give a note about spammers, and would allow the user to remember decisions globally, on a site-by-site, URL-by-URL, etc. basis.
7380 proposes an extremely complex UI, which will be hard to understand and be prone to error. A usable mail reader should not have modal dialog boxes popping up in response to viewing a message. Configurability is no excuse for poor defaults.
Bug 28612 (META refresh allowed in mail/news) is a related bug.
Status: NEW → ASSIGNED
Target Milestone: M15
Bulk moving all MailNews Security bugs to new Security: General component. The previous Security component for MailNews will be deleted.
Component: Security → Security: General
> I believe that there is widespread support outside of Netscape for preventing > the mail client from making any network connection whatsoever except to the > mail server. I'd be interested to know more about this. Could you provide the names of some products which do this?
There aren't. I am assuming that Mozilla is trying to be conservative here and figures no need to implement features not already done by someone else. If this is the case, I would like to make a preemptive comment: I hope Mozilla has not been reduced to a project seeking to combine features of other packages and offer no innovation of its own.
7380 is an essential feature for power users who don't want the defaults of novices. There are no sensible defaults. The dialogs are there to make it easier for novices to choose which sites they trust using 7380 - letting the user specify who to trust is the only way to properly address this. Sure, dialogs are invasive, I'm open to better ideas.
That is only half a fair comment Jerry, as Mozilla is still behind other products (eg Nav 4) in some areas. Hence it is best to catch up before trying to pass. In this circumstance, however, the new feature is more important than many of the old ones.
I think, this is a MUST for final. beta2 nomination.
Keywords: beta2
bulk move to M16. Not an M15 stopper. If you disagree, pls comment in bug and cc: selmer@netscape.com
Target Milestone: M15 → M16
Keywords: nsbeta2
This bug is a subset of bug 36484.
Keywords: beta2
norris, any comments or insights to help here. A feature request, thoughts for PR2.
Whiteboard: [NEED INFO]
I agreeed with jgmyers that webpages need to be sent as multipart/related message. This requires a fair amount of work. However, there is no guarantee that other mail clients will do the same. Using a pref with default value set to "no" seems to be the right way to go. I believe Steve has done the work. Steve?
The work I've done is to block images from selected sites. As you browse, you will encounter offending images that you can right-click on and add to the list of sites from which you want images blocked. Then when you read a mail message and it contains an image from that site, the image is not loaded.
Removing the [NEED INFO] for PDT re-eval.
Whiteboard: [NEED INFO]
Blocking images does not at all fix this. An offensive sender, knowing that images can be blocked, can include an external applet, stylesheet or whatever to get the server hit.
Putting on [nsbeta2-] radar. Not critical to beta2. But adding nsbeta3 keyword for a fix prior to PR3.
Keywords: nsbeta3
Whiteboard: [nsbeta2-]
Mass moving M16 to M17 - look for nsbeta2 before anything else.
Target Milestone: M16 → M17
Depends on: 37983
Changed QA Contact to czhang@netscape.com
QA Contact: lchiang → czhang
As noted earlier, blocking images (and cookies) from a site doesn't help until after the fact, and any object that can be loaded from a remote server can act as an involuntary return receipt. All that is needed is to throw in a unique identifier somewhere like a query string then parse the server logs for it. For example, a CSS object, though this can be done to images, HTML files, audio files, etc.: http://server.domain.com/dir/stylesheet.css?UniqueID=victimsusername%40domain.co m%20isValidEmail The query string does not in fact run a query, and does not affect the loading of the object. But it is logged by the server and thus can easily be examined later. This is a great way for spammers to confirm a valid address they've sent to, because this way they can ignore the bounced e-mails by falsifying their From: headers and still build a database of known good e-mail addresses by running web server log reports on the query string. (This all is exactly the method reported in bug 22994, just applied more broadly.) There is only one way to fix this, and that is to provide an option to disable all network calls from the mail/news client. The option to disable cookies and images on a site-by-site basis is great, but too little too late for someone targeted with this type of attack.
The concerns expressed about Mozilla working with Web pages that have been mailed are red herrings at best. Mozilla should not emulate Netscape 4.X's behavior of only sending the HTML and not the images and associated objects with the page. IE sends everything, and Mozilla should too. This also eliminates the need to allow any network activity from mail and news except for to mail servers specified in the prefs. I have a feeling that I share the opinion of many readers in that if I want to visit a site, I will either go there myself, or click on a link to it.
Whilst sharing sharing the concerns I have two comments: 1) I used to run a genuine, opt-in HTML email newsletter through the Netscape Inbox direct program. It was about financial markets and contained references to graphics on the server for two reasons: a) Graphics that were used every day remained in the browser cache and saved unnecessary network traffic and download times b) a stop-press graphic could alert users to any major change since the mail was sent. You may ask why not go to a web page, but our site statistics showed that there were users that liked receiving the information this way - their choice, supported by Netscape. 2) Is there evidence that nefarious receipt function is taking place? Does it matter - once a spammer has your address, that address has had it anyway and will be passed around with no evidence of it working. If this leads to non-working addresses being removed so much the better for network traffic and mail server administrators of dead accounts. 3) The challenge when addressing issues such as this one is that many, many users do not change their preferences so how does the default get set - to block these images or not?
The nefarious receipt function has indeed been used by a well known vendor of personal finance and income tax software. They include a tagged URL to a 1x1 transparent GIF. The default should be privacy.
The user expectation is that correspondants will not know when they read email, unless an explicit "read receipt" is approved. Thus the default must be either full privacy, or "ask the user".
Can this not be fixed with the new content policy hooks? (I'm not sure if the DOM can let us figure out that we're loaded in a mail context, if not we can figure something out.)
Severity: normal → major
Keywords: mail4
Target Milestone: M17 → M18
Thanks for increasing importance of this bug (nsbeta3 and mail4 nomination, severity major). I'll spend a round of donuts for the Mailnews team, if you fix this before release :). > > preventing >> I believe that there is widespread support outside of Netscape for preventing >> the mail client from making any network connection whatsoever except to the >> mail server. > Could you provide the names of some products which do this? While Jerry propably referred to customers' support, there are indeed a lot of clients honoring this kind of privacy: plaintext UAs :). (Indeed, I think, some amount of plaintext mailer users chose these clients because of security and privacy concerns.)
Hell, I'll pitch in a case of beer to the developer that does this :) Seriously
Whiteboard: [nsbeta2-] → [nsbeta2-][b3 need info]
What info is needed to make a b3 +/- decision?
Whiteboard: [nsbeta2-][b3 need info] → [nsbeta2-]
- per mail triage. Behavior is the similar to Communicator 4.x.
Whiteboard: [nsbeta2-] → [nsbeta3-][nsbeta2-]
> - per mail triage No donuts. > Behavior is the similar to Communicator 4.x. ...which was a privacy thread. <rant> I don't think, we will win many users, if our bugs are a superset of those in 4.x. </rant> being a bit more constructive: Adding helpwanted and filing bug 49021 for a (hackish) workaround.
Keywords: helpwanted
Hmm, Microsoft just got harpooned in the New York Times for this exact issue. See http://www.nytimes.com/cnet/CNET_0_4_2652562_00.html . What's our exposure? CCing ekrock.
If I understand this correctly, Navigator 4 Mail also had this issue, right? Our minimal security goal for RTM is to be *as* secure as Navigator 4. Being more secure is of course desirable, but that's an enhancement request, and the time for implementing enhancements has long since passed. This is really a question of Mail security policy, so I'm cc:ing sol. I note that someone has already marked this [nsbeta3-]. If Nav4 Mail indeed had the same issue, I agree and recommend Future as well.
Yes, this has been this way since HTML mail made its way into Netscape 2.x - rhp
I am curious why the goal of Mozilla and Netscape is only to maintain parity with NN4 in terms of security. Why not just keep the parity with CSS compliance and HTML too?
Thats not the goal. The goal is to always exceed previous products and be 100% standards compliant, but if you want to ship a product in any of our lifetimes, you come to a point where stuff has to be cut. We are at that point. - rhp
And security was nominated for weeding out. Can outside contributors make a vote of no-confidence in the body responsible for this decision. It is quite illuminating about Netscape's prioroties however. AIM must work - privacy...screw it.
If you want to be sarcastic and negative, that's your choice. I was just trying to provide some information on this issue. Sorry I tried to take part in the process. - rhp
It's not personal. My view is what good is a CSS compliant browser if it chugs along spewing personal information and violating my privacy? Netscape has never taken security very seriously unless someone turns on the light of the media and then Netscape scrambles to look "concerned". I am not saying that there are not individuals at the company that are concerned, but that the company overall doesn't care until there is some serious negative publicity. That is what is wrong here - that security is almost =always= put on the back burner for other things that are not even half as important except to drooling marketing droids.
PDT should have the following goal: Prevent Netscape 6 from receiving bad press for things where microsoft has already received bad press. Shaver could you please direct this concern to someone who can affect policy. Or commment otherwise? Thank you.
Presumably you can read mail off-line if you are worried about this kind of thing. Worked for me in 4.x, that might be a good enough answer for now. ekrock: doing things the same as 4.x may not be good enough; the world has changed. two years ago only the hair-shirt prophets in the wilderness were complaining about privacy, now it's a big issue that has attracted lots of press and lawsuits. jerrybaker: you are an idiot if you think we haven't taken security seriously. Your hair would curl if you knew some of the potential attacks that have been discovered and fixed in Mozilla. It's certainly too bad we didn't get to do a privacy enhancement like this, but it's not a true security issue. Meanwhile, we have a cookie manager and an image blocker (both useful in this situation), both of which are significant privacy enhancements over 4.x. As long as we don't regress privacy in other areas (and this isn't worse) I'd say we're making forward progress.
What's a "hair-shirt prophet"?
perhaps an over-contraction on my part of "hair-shirt wearing, locust-eating prophet", i.e. all those biblical dudes who didn't get much respect yet were nonetheless proved utterly right in the end. Maybe I should have gone with "Kassandra" instead.
("Kassandra" with a K is inauthentic spelling of the Trojan seer's name, although that phrase is a line from the movie "Warlock"!) Also, jerrybaker shouldn't be faulted for not seeing certain bugs where Mozilla has sweated security attacks devised by folks like Georgi Gunninski, because netscape.com chose to make those bugs Netscape-confidential in bugzilla. I still think many to most of those bugs should be wide-open, certainly now that we are past beta2. /be /be
Jerry, please don't assume that some overworked Netscape engineers' de-prioritizing this particular issue, which is obviously a pet peeve issue for you, reflects anything about Netscape's commitment to security. It's not that we don't care until exploits hit the press, it's that you only hear about it when it does hit the press. Anyway, that's why we're open source; if something really bugs you, either fix it or find someone (not necessarily at Netscape) who's interested in fixing it.
Kassandra with a "k" is a perfectly fine spelling, used, for example, by Richmond Lattimore is his Illiad. (He did go with the latinized Cassandra in his translation of Aeschylus's "Agamemnon" published around the same time, though.)
Lattimore, eh? I'm old school (or maybe old-new school), I was raised on Cassandra with a C. Is this bug long enough yet? More to the point, is anyone going to cough up a patch that I can approve? Who is up to the coding task? /be
The reason this is a "pet peeve" of mine is because this one issue represents one of the largest and possibly most insidious security holes excepting viruses or other things that cause physical damage. Being able to tie a user by email address to visited Web sites because the Mozilla team doesn't feel it important is literally a tragedy. Can we at least get Mozilla to come by default with images blocked from all sites known to exercise this behavior?
From what I can tell, the following are =known= to have used Web bugs in email marketing campaigns: Barnes and Noble eToys Cooking.com Microsoft InfoBeat
Alright, I'm going to make this bug a little longer: I wish jerrybaker at least would stop using "the Mozilla Team" to mean netscape.com, a business with scarce resources it disposes as it sees fit, and (in opposition), the royal "we", at least himself. The Mozilla community contains lots of people capable of hacking a fix here. I am cc'ing a few. Complaining about netscape.com is fine; maybe it will change the PDT's mind. But producing a patch, or a partial patch even, is better. There is no Mozilla Team preventing that. Why not talk this bug up in the newsgroups with an appeal to get a patch cobbled together? A patch to filter HTTP accesses from inline images in HTML mail would be a start. It shouldn't hardwire evil domain names. How should it then access a configurable, possibly shared list of domains? /be
I do not want to get the two confused, but the lines between what is mozilla.org and what is Netscape are =very= blurry (not just in this bug).
The line between security and privacy is very confused in this bug.
> A patch to filter HTTP accesses from inline images in HTML mail would be a > start This is what bug 49021 is about.
> The line between security and privacy is very confused in this bug. Actually not. There are two things going on here. One is that invisibile images can be inserted into email sent to me in order to log when I read my mail - this is a privacy issue. The second thing is that a cookie can be set with this image in order to associate that cookie with an email address - this is a security hole.
I'm with Steve: I don't see how setting a cookie is a security issue. I'd say it's a privacy risk, and I spend a fair amount of time thinking about this sort of thing. (Modulo implementation bugs like buffer overflows in the cookie handling, but those are risks for all content.) As far as not allowing external content to be loaded from mail, I don't see why the content-policy hooks aren't sufficient. Can't you use them to poke up the DOM chain and see if you're in a mail message, and then veto any inappropriate URL load attempt?
Setting cookies is not a security issue. When people browse, they realise the context of their browsing. They are on the Web - the Web has cookies. Email present a different context. I don't think people would expect that cookies can be set by email messages to later be read while browsing the Web (which is the effect of this). Sure one could argue that email is in the same context as Web browsing since both are the "Internet", but then by that argument so is opening Word while online...oh wait.
Help me, jerry, I'm lost. First you wrote: > The second thing is that a cookie can be set with this image > in order to associate that cookie with an email address - this is a security > hole. and then: > Setting cookies is not a security issue. I agree with your second personality, but not your first. =)
It's really easy: Setting cookies in email: security problem Setting cookies over Web: Fine Regardless of Netscape's desire to integrate Web mail with email, email is an entirely different context than the Web.
Can you please explain the _security_ (not privacy -- that part is crystal clear to everyone, I hope) implications for setting a cookie via email? That part is totally eluding me, and I consider myself a pretty savvy guy when it comes to web-related security issues. (Or, better: don't answer that question, and just write a patch to wield the content-policy hammer against this particular nail.)
Jerry, you make me laugh. Who at mozilla.org (not netscape.com now, please don't be insulting shaver@zeroknowledge.com, blizzard@redhat.com, hecker@collab.net, or brendan@meer.net by insinuating that we are controlled by netscape.com) ever was "fiercely resistant" to the right privacy-protecting defaults here, or elsewhere? The mozilla.org folks beholden to netscape.com have never uttered a word on this topic. "Help, help! I'm being repressed!" This isn't some student protest exercise where talk is the main by-product because we're all oppressed by the system. This is do-the-coding-yourself, put-up-or-shut-up open source. There is no way mozilla.org can or should coerce netscape.com into fixing this bug if for whatever reason(s) netscape.com fails to see its priority. How about helping out with implementations of shaver's general content-policy interface (bug 37983) instead of making this bug any longer, mmmkay? /be
I'm glad to provide you with entertainment. If you think that privacy and security are funny, then there is probably nothing I can do to change your mind. But, THIS IS NOT a put up or shut up system. You, and others, are coding a browser for the general public, but you don't want feedback from the general public. This is part of the problem that I have been making all this noise about.
> THIS IS NOT a put up or shut up system This part of the world is exactly that. If you want to take on the corporate monolith, take it on through its front door, the marketing department and customer feedback. Going around the back and shouting at the engineers through the open-source door is, in my opinion, somewhat rude.
I'm fine with that then. I will file a bug on Bugzilla to get the Bugzilla bug pages to add, "If you do not intend to code a solution to a problem you have found, do not report it to us. We are not interested". Is that wording OK?
> I'm glad to provide you with entertainment. If you think that privacy and > security are funny, then there is probably nothing I can do to change your > mind. Get off your high horse, Sir. > But, THIS IS NOT a put up or shut up system. No, that's exactly what open source is, and you are not putting up anything but noise. I'm not the type to killfile irrational people, and even a broken clock is worth listening to twice a day. So keep your feedback coming, but maybe in a better forum than this bug, eh? And (for the last time) try to enlist some competent hackers to help fix the problem reported by this bug, please. The existing pool of developers are pretty busy with their own priorities, and they are not mine to command. > You, and others, are coding a browser for the general public, but you don't > want feedback from the general public. What are you talking about? We want and get feedback all the time, including your vague, windy complaining. Who says I have to like it, but I'm not stifling you, killfiling you, or kicking you out of bugzilla, nor would I or any staffer do such a bad thing. If you think pdt@netscape.com is ignoring you, then why aren't you bothering them instead of us who read updates to this bug? > This is part of the problem that I have been making all this noise about. Oh brother, here we go again. Have you no shame? Stop whining! /be
It should simply say "Since you're not paying for this product, no-one is under any obligation to fix any problems you report, although we do try to. If you don't agree with our priorities, you can fix it yourself or you can try to persuade us (or our management) to change our priorities. Just don't get all whiny if you fail." Over and out. You know where to find me :-).
Jerry, calm down. My guess is that Moz 1.0 (which luckily will be some time *after* N6) won't ship with this bug. N6 will propably ship with it, but well... :).
Removed my vote, please move this discussion to the newsgroup(s) it's not helping anything here by driving votes away.
With jefft's permission, I'm reassigning this bug to myself. Shaver and I are working on this bug, bug 18352, and probably bug 46859 in a concerted way that may result in patches soon enough to consider for Netscape 6 RTM. /be
Assignee: jefft → brendan
Status: ASSIGNED → NEW
Setting target milestone to mozilla0.9. Hoping to get something done much sooner, shaver and I welcome help. /be
Status: NEW → ASSIGNED
Target Milestone: M18 → mozilla0.9
What does bug 46859 have to do with this bug? I hope, you don't intend to pop up dialog for external msgs? Many msgs with web bugs also contain normal (visible) external images, so an uninformed user would propably allow images to be loaded, if asked. How can I help?
Brendan, shaver, could you please define the fix you have in mind? I hope it doesn't involve any new "security warining" type dialog boxes. How do you propose to solve this problem?
Ben: bug 46859 has nothing to do with the solution to this bug, but it's part of the cleanup we think we'll do at the same time as we fix bug 18352. Boy, you guys must think we fell off a turnip truck. Shaver and I are even more averse to the "add yet another dialog in the naive user's face" theory of customization. Shaver and I currently think we just need to extend the image blocking to block images loaded from mail messages, based on a domain name blacklist. Everyone seems to agree that it'll be important to distinguish the mail case from the browsing case, so some extension seems required. How to specify the blacklist? Prefs, with UI later comes to mind. BenB, the first thing you could do to help is comment on this idea. Also, help test the patches developed in the related or coinciding-in-code bugs that we're trying to fix. Thanks, /be
I still think you need the general case of block all external images since blocking from blacked out domains is fine so long as you know they smacked you with a webbug, since most user's won't know and by the time they do its too late. I think the point at which to prune this tree is to identify local domains not bad domains, if an IMG tag refers to a domain outside the local domain list then its blocked otherwise its allowed. This if you like is much the same as a blacklist, except its a whitelist which is much shorter and easier to manage. It should also be slightly quicker in usage. At the same time I'd use a different broken image icon to help the user identify (once they understood what the icon meant of course).
Can the image blocking feature be used to block other kinds of included content (embeds, applets, iframes, etc)?
Personally, I don't see too much value in customizing the domains from which image loading is allowed, especially not enough value to have UI for it. Also, what mstoltz said. I would like to see an opt-in approach, i.e. one that blocks *all* loading of external resources, even those that don't exist yet (because somebody might add a feature like external stylesheets to layout and not think of the "content" loading policy), unless specifically allowed. Because of that, nsIContentPolicy seems more appropriate to me than the image blocker. Do you intend to merge the current image blocking code/interfaces and |nsIContentPolicy|?
I'm in the process of adding a security call, nsScriptSecurityManager::CheckLoadURI everywhere an URL is loaded by web content. This seems related. Could the policy be implemented there? This would (in theory) cover all secondary loads, not just images.
Is there no way to add this is a more central place, e.g. netwerk, or don't we have enough information (e.g. about the initiator) at this point?
Umm well its considerably more secure to enable such off-network images than to disable. That way if you have an electronic magazine mailed to you with legitimate images you can enable it.
Just my idea, but since I don't know anything about how necko works, take it for what it is. Can Mozilla just be told not to load any requests for external resources that originate from a mail window (maybe before the URI even makes it to Necko?)? Since JavaScript can be disabled in mail&news separately from the browser, it seems to me like the parser knows when it is in a mail or news window and when it isn't. Couldn't the parser just be told to ignore requests for external resources that originate in a mail (or news?) window?
We could do what jerrybaker describes using CheckLoadURI. This will stop the load before it ever gets to Necko, if used properly.
that adds an overhead to every CheckURI to check the origin, I looked at that it looked very expensive
> That way if you have an electronic magazine mailed to you with legitimate > images you can enable it. Althought that argument is frequently made, I can't see any real justification. The user is going to have to download the images whether that occurs when the mail is downloaded, or when the images are loaded when the mail is opened. The only edge case where a valid argument might be made is when the external link is to a dynamic image that conveys some sort of time sensitive information.
> that adds an overhead to every CheckURI to check the origin, I looked at that > it looked very expensive So I take it that the parser does not know when it is parsing mail content vs. browser content? If it does, why do you need to check the URI at all? Just refuse it flat out.
slucy: we could have a whitelist or a blacklist. It isn't hard to do both. We could even allow subdomains to be blacklisted from a superdomain that passes the whitelist. If there is no whitelist, only the blacklist applies. How does this sound? BenB: you wrote "Do you intend to merge the current image blocking code/interfaces and |nsIContentPolicy|?" Yes, although not all at once, and not in a way that makes it hard to get a patch fixing this bug into the Netscape 6 branch. Note that nsIContentPolicy is interface only, so we need to write new code, or morph old code, to implement the new interface. mstoltz: if you haven't yet, please check out nsIContentPolicy, shaver already went to the trouble to add uses of it when loading several kinds of elements. See http://lxr.mozilla.org/mozilla/search?string=nsIContentPolicy and let's talk. It seems shaver intentionally added the nsIContentPolicy check after the nsIScriptSecurityManager one in places where both are needed, to let security mechanism have first crack. I think that's right -- privacy policy should not go through the script security manager. Thoughts? Jerry: nsIContentPolicy is used to stop loads in layout code from ever reaching Necko. /be
> I think that's right -- privacy policy should not > go through the script security manager. Thoughts? It seems to me that you need the privacy check whereever you need the security check |nsScriptSecurityManager::CheckLoadURI|. So, if you want to keep a privacy and a security interface, then add a new one, covering both pirvacy and security, which is called where |nsScriptSecurityManager::CheckLoadURI| is called now, and its implementation then calls |nsScriptSecurityManager::CheckLoadURI| and you privacy interface. Should we move this discussion to bug 18352 or even the newsgroup?
Ben: let's move the design discussion to bug 18352, if not to a newsgroup. The current nsIScriptSecurityManager interface can't express the "shouldLoad" and "shouldProcess" results that nsIContentPolicy can, which (if false) lead to no failure codes (unlike nsIScriptSecurityManager, which can only fail the check). The CheckLoadURI method also doesn't take an enumerated typecode indicating what kind of URI load or processing is about to happen. Mitch: can you update bug 18352 with the places beyond http://lxr.mozilla.org/mozilla/ident?i=CheckLoadURI where you intend to add calls to the security manager? /be
agreed on the whitelist and blacklist, I was thinking of other privacy apps when considering that, its a well known concept so it shouldn't be difficult to get across or produce a UI for. jerry: I think the point is that some people want images delivered and you can't militate for website/email design only give them the best fit, starting with a whitelist of local domains implies no other domains would be used to deliver images (or other misused tags), and at the same time lets the user opt out by adding trusted sites. and agreed it doesn't belong in script but if there's a ContentPolicy that can identify quickly without addrefs that its in email then that seems more than reasonable. And this whole area seems to need a newsgroup/list to itself :-)
slucy: nsScriptSecurityManager::CheckLoadURI doesn't look as cheap as one might like, but it will be called no matter what -- at least in any browser where the caps/src code is included. And AddRef costs are the least of CheckLoadURI's costs. I updated bug 18352 with a new comment. /be
> jerry: I think the point is that some people want images delivered and you > can't militate for website/email design only give them the best fit I can live with that, but can I make a quick point? Choice is always good, and taking away user's choice is always bad, under one condition - that the choice being taken away somehow causes a loss of usability or convenience. As I was saying before, whether a user downloads the images in a mail message (because they are all there with multipart/related) or whether they have to download them from some remote server when they open the message makes no difference to the end user. In fact, the email may be quite a bit faster as POP servers are usually not that far up the pipe from the user. I could understand hesistating to remove the ability to include remote content if there were not another way to add that content, but there is. The only reason that a mailer could be upset that they could not use remote content is because their mailer won't let them do multipart/related (rare), or because they want to make use of this privacy hole.
>I could understand hesistating to remove the ability to include remote content >if there were not another way to add that content, but there is. The only >reason that a mailer could be upset that they could not use remote content is >because their mailer won't let them do multipart/related (rare), or because >they want to make use of this privacy hole. I'm confused, that's dealing with life the way it should be, not the way it is. The user wants to receive, say, an HTML mag in his email and it contains images and tagged images and refresh meta tags and god knows what, plugins probably as well. Since the user has no control over the designer of the page, and since its unlikely the senders of the mag want to have a different version for email or send every damn image to everyone at the time of mailing its pretty likely that the images aren't going to be sent. That's perfectly valid. I can't see how multipart related helps, but perhaps I'm thick :-)
Ok. One more comment :-) All HTML mail readers that are capable of displaying a Web page in email are also capable of displaying multipart/related images, so that knocks down the objection that the mailer wants to be 'compatible" with all mail readers in some way or another. Second, the mailer not wanting to send images with the mail (presumably because of bandwidth) doesn't hold much water after all. The recipient has to use their bandwidth to get the images off of their server anyway, what is the difference whether this bandwidth usage occurs at the time of mailing, or at the time of reading? *All future discussion of this should probably be in n.p.m.security.
>what is the difference whether this bandwidth usage occurs at the time of >mailing, or at the time of reading? There's a huge difference. I get WebMonkey delivered in email, i probably don't bother looking at it more than once a month, it gets delivered to say 5,000 (or 50,000 whatever), people they look at it when they see it, probably quite a majority within an hour, but its likely to be some kind of sine wave with time zones and the like. If they send out every image (and advert), then their mail server grinds exceeding slow and so on downstream and take a hit regardless of when people read the content.
Is 18352 the one you wanted to add to Brendan? That seems to be about the extensions directory.
Posted <news://news.mozilla.org/39DACD11.FD472602@bucksch.org> my reply to .security.
nsIContentPolicy is about more than just privacy -- it's also for general browsing prefs, like banner blocking and the like -- but I could see value in unifying the hooks. I don't think that we should unify them under the banner of nsScriptSecurityManager, because people might want to control content policy without our (unavoidably JS-biased) caps/ implementation, or for reasons other than security. (If we're going to discuss the mechanics in another bug, which seems sage, let's leave poor 18352 alone and use 37983.)
Nominating for rtm.
Keywords: rtm
QA Contact: czhang → junruh
This is a problem in messenger as well as in mail/news.
Messenger == Mailnews!?!
oh, i meant netscape instant messenger. sorry for the confusion.
As far as this Mozilla hacker is concerned, the problem with Netscape Instant Messenger is that it's not open source, not that it has any specific privacy characteristics.
shaver, AIM is similar to Mailnews in that you get content you didn't choose yourself. I heard that AIM is a particular bad place for spam. Doesn't it support HTML, too? If yes, you should protect it just as you protect Mailnews. But, of course, this would have to be done by Netscape.
Keywords: mozilla1.0
Keywords: mozilla0.9
rtm-, we've already had the discussion and we're not doing this. Without a patch attached, there's no chance anyway.
Whiteboard: [nsbeta3-][nsbeta2-] → [nsbeta3-][nsbeta2-][rtm-]
Sorry for the extra mail. Removing mail4 keyword.
Keywords: mail4
Not doing what? If you mean blocking webbug type junk in email I thought it was underway, if you mean AIM that should really have a different bug
Keywords: privacy
Adding nsbeta1 keyword. This should either be fixed or marked Wontfix.
Keywords: nsbeta1
why does it need to be WONTFIX if it's not going to be fixed for a particular Netscape beta? In fact, it's not assigned to a Netscape person, which is a reasonable indication that a "nsbeta" marking is inappropriate or meaningless. Clearly Netscape has no interest in this feature (if you're that paranoid you can turn off all images) but that doesn't mean it's not a good thing for mozilla folk to eventually add finer granularity to the image blocking.
QA > ckritzer
QA Contact: junruh → ckritzer
Servers can also be contected via Javascript (embedded in the mailnews msg) loading images or automatically submitting forms. This will have to be covered, too.
Bug 60676, which looks like a duplicate of this bug, contains some UI suggestions
*** Bug 60676 has been marked as a duplicate of this bug. ***
Want a security issue on this bug? Try this in an email: <img src="http://www.yahoo.com/+++ATH0.gif"> When this email is displayed on screens of some modem users, it will disconnect their modem (should be obvious why). Sounds like denial-of-service to me, admittedly a pretty minor one. Possible potential for making it e.g. dial a premium-rate/international number, too, which I haven't tried and may well not be doable, but if it is possible it could prove profitable via spam. This is actually a bug in some Rockwell V90 modem firmware, as modems are supposed to require a 1-second pause between +++ and AT. And even if it *wasn't* a bug in the modem it would then be a bug in the TCP stack, not Mozilla. However, even though it isn't a Mozilla bug as such, it is yet one more security hole which 'allowing email do more or less anything it likes' is bound to provide. (BTW I don't know what proportion of modems it affects; only tried three, two of them - both cheap internal modems, one shipped with a Dell computer - were affected, the other - a USR external - was not. It may not be a major problem, or it may be.) Anyway, just for information. Apologies if this is already well-known. --sam
> Servers can also be contected via Javascript That's why there is an "Enable JavaScript for Mail and News" preference. An elaborate UI with per-site control would a be nice thing (I wouldn't think it worthwhile for just this bug), but an "Enable Remote Content for Mail and News" preference is essential. I can't imagine anyone disabling the latter but not the former.
<img src="http://www.yahoo.com/+++ATH0.gif"> has _nothing_ to do w/ this bug, IMO it's a TCP stack bug however if you feel that we should do something about it, then you should file a bug in networking: http.
Keywords: nsbeta2, nsbeta3, rtm
Whiteboard: [nsbeta3-][nsbeta2-][rtm-]
Wow, chatting a modem with a URL, who'da thunk. /be
Keywords: mozilla0.9mozilla0.9.1
Target Milestone: mozilla0.9 → mozilla0.9.1
Load-balancing. Performance first, anyone who wants this and can fix it, please feel free to take it. /be
Keywords: mozilla0.9.1mozilla0.9.2
Target Milestone: mozilla0.9.1 → mozilla0.9.2
*** Bug 86627 has been marked as a duplicate of this bug. ***
Target Milestone: mozilla0.9.2 → mozilla0.9.3
I'm not going to get to this in the next milestone. Help definitely wanted. /be
Target Milestone: mozilla0.9.3 → mozilla0.9.5
Brendan, How do you propose to solve this? It basically means going offline while we parse and read mail, right?
It's part of the ContentPolicy plan. Obviously that has to be implemented first.
*** Bug 96062 has been marked as a duplicate of this bug. ***
It has been implemented in KMail, which is opensource, so one can have a look at how it's been done. See this bugtraq post that mentions the option in KMail: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1% 26start%3D2001-08-19%26fromthread%3D0%26threads%3D0%26mid%3D206015%26end%3D2001- 08-25%26
*** Bug 99616 has been marked as a duplicate of this bug. ***
*** Bug 99904 has been marked as a duplicate of this bug. ***
I still have no time for this -- does anyone? /be
Keywords: mozilla0.9.2
Target Milestone: mozilla0.9.5 → mozilla0.9.7
Blocks: 104166
See also bug 104802: it might be necessary to disable all plug-ins in the mail window (even ones in multipart messages) in addition to not loading images from the web.
*** Bug 104802 has been marked as a duplicate of this bug. ***
FYI: This is the HTML mail option in Evolution: -- in HTML mails -- ( ) Never load images off the net (o) Load images if sender is in addressbook ( ) Always load images off the net
'Load images if sender is in address book' could become useless if it interacts with the 'Collected Addresses' address book.
"Load images if sender is in address book" isn't very useful anyway. All a spammer would have to do in order to make me load an image is know *one* address in my address book and spoof that address. One easy guess would be the victim's own address, and additional guesses could be other addresses on the same page the victim's address was found on.
*** Bug 110432 has been marked as a duplicate of this bug. ***
my preference would be to bring the old NN4 button back (bug 55657), so I would see the html attachment in the attachment plane and could open it as any other attachment.
Footprint/perf works take precedence. Reiterating helpwanted. /be
Target Milestone: mozilla0.9.7 → mozilla0.9.8
*** Bug 111043 has been marked as a duplicate of this bug. ***
*** Bug 110720 has been marked as a duplicate of this bug. ***
*** Bug 114677 has been marked as a duplicate of this bug. ***
About Comment #31 [Newsletters: Loading graphics from server causes less traffic because graphics are saved in cache] One way to resolve this, is that even if you selected an option like "Do not download images from a remote server while reading email" that can get an option like "Download all images for this e-mail" with a checkbox "remember this option for this recipient".
Or simpler, put a button somewhere (and keyboard shortcut) that loads the images and other network stuff once you've glanced at a mail and decide it's OK.
*** Bug 118473 has been marked as a duplicate of this bug. ***
Dylan_G@bigfoot.com has stepped up (yay!). Ben, I've taken the liberty of making you QA Contact (ckritzer is long gone from netscape.com). /be
Assignee: brendan → Dylan_G
Status: ASSIGNED → NEW
QA Contact: ckritzer → mozilla
Status: NEW → ASSIGNED
> Dylan_G@bigfoot.com has stepped up (yay!) Great news. I would suggest Mac OS X's Mail.app as an emailer that gets it right. Cf. attachment, which shows the same message (1) in Mozilla, and (2) in Mail.app. In Mozilla, opening that message (merely by deleting the previous one!) caused me to confirm my address for the spammer :-( , due to this tag in the HTML source: <img src="http://uweb.savingbot.com/chkmailview.php?to=hysterion@mac.com&title=SavingBot_20020125"> In Mail.app, you can prevent this by leaving the pref "Download all images, animations, and other HTML attachments" unchecked. And still the general layout is rendered with all elements in evidence, including that pesky "chkmailview.php". (On top of that, also pictured is a button to *bounce* unwanted mail, but I guess that's another RFE.) I also agree with comment #146, that a button to override that pref on a message-by-message basis would be great.
Well, here is my plan (which is being hampered by me being unable to build Mozilla consistenly currently): I need to trace down where gekco is involved and have a pref checked to see if the HTML should be ignored (just use default rulesets, or some ASCII convert). Once I familiarize myself with Gecko's core more, I want to adda pref for "sandboxed" HTML email (only MIME encoded images are loaded: nothing else). So you can default to unsafe, sandboxed, or paranoid. I just have to find where this code path is :)
An alternative to stripping HTML would be to just stick a new content-policy object in the chain when this pref is set, and that object can refuse to load all content with a protocol that isn't the same as the enclosing document. (I think that's a _better_ alternative too, for a whole variety of reasons.) You can look at the image manager's code for an example of content policy objects and how to deal with them. We might need to teach the content policy service a better way to handle dynamic registration of objects -- I can't remember if I ever got to that -- than category poking, but that's easy. (I volunteer, even!)
> I need to trace down where gekco is involved > and have a pref checked to see if the HTML should be ignored (just use default > rulesets, or some ASCII convert). That would be bug 30888, I guess. It wouldn't fix this bug, just provide an alternative for people already knowing about the problem.
Cool, thanks for the help, Mike :) I'll start trying to grok that part of the tree. Feel free to link the content registration stuff as something this bug depends on (or tell me which bug I need to link).
Next milestone while I continue to work..
Target Milestone: mozilla0.9.8 → mozilla0.9.9
> > have a pref checked to see if the HTML should be ignored (just use default > > rulesets, or some ASCII convert). > That would be bug 30888, I guess. It wouldn't fix this bug, just provide an > alternative for people already knowing about the problem. Update: I am working on that. See <http://bugzilla.mozilla.org/show_bug.cgi?id=69529#c32> for current state.
Ben, thanks for your work, it's just coincidence that I happen to make a comment :) Lots of comments in this bug, trying to summarize and some new ideas: Blocking loading of images is not enough, because any embedded URL (e.g. CSS) could contain the identification hint. Blocking ? query strings is not enough, because URLs like host.com/cgi-bin/SpammerNumberToAddressMapping would still work. One bug was duped that suggested Mozilla should simply ask before allowing the request. Ideally, I think, this bug should be solved in a way similar to the "load images privacy" privacy feature. I think, in addition to "cookie sites" and "image sites" we should have "allow html by mail" sites. That would bring up a confirmation prompt when the email component triggers loading of embedded HTML content from a site for the first time. When a mail is displayed, the HTML source is local already. I suggest, when executing the calls to render that HTML, that call should be extended by an optional "internal rendering requester" identifier. That identifier should be passed on (either as a parameter or by a member of some object) to any code involved in loading embedded objects or rendering the HTML. In our case it would be an "mailnews" identifier. (When browsing the web, the rendering engine would be given a "browser" identifier.) That way, the code which is responsible for fetching would bring up the "new site wants to load content triggered by mailnews, do you allow?" warning. If the user denies, the HTML mail will be partially rendered correctly. Who knows how we could pass that "internal orignator" bit all the way down?
I don't think that rendering of HTML is an issue here at all, in that HTML without the server hits is basically, for purposes of this bug, rich text. (Excepting scripts and cookie adjustment, but we have ways to turn off script in mail anyway.) I guess I don't understand why you need to pass in a magic token when we have the URL for both the containing document and the desired URL coming in already to your content policy object. Back In The Day, we talked about a window-type parameter for the content policy hooks, but I seem to recall us deciding it wasn't worth the trouble, given that you already had the URL of the containing document. Now, it looks from quick LXR diving that we no longer call the content-policy hooks for external style sheet references, and I'm not sure what the path is like for site icons, but these are small bugs to be resolved once the big pieces are in place.
> I don't think that rendering of HTML is an issue here at all, in that HTML > without the server hits is basically, for purposes of this bug, rich text. Right, I was referring to text only rendering. > (Excepting scripts and cookie adjustment, but we have ways to turn off script in > mail anyway.) Right, and for cookies I wouldn't introduce a new settings category, but use the same cookie management we already have. > I guess I don't understand why you need to pass in a magic token when we have > the URL for both the containing document and the desired URL coming in already > to your content policy object. Back In The Day, we talked about a window-type > parameter for the content policy hooks, but I seem to recall us deciding it > wasn't worth the trouble, given that you already had the URL of the containing > document. I didn't knew that, if we have the containing URL available everywhere, that's great, and we can make the decision (whether this request falls into the mailnews category or not) based on that's URL protocol. > Now, it looks from quick LXR diving that we no longer call the content-policy > hooks for external style sheet references, and I'm not sure what the path is > like for site icons, but these are small bugs to be resolved once the big pieces > are in place. Sounds good. Does somebody object to a new category "sites allowed to load html embedded content triggered by mailnews" in addition to images sites and cookie sites? If this suggestion gets accepted, is the implementation identical with the following? - duplicate "image sites" preferences code, and adjust it - find the right place to catch any protocol request, (maybe it helps to find out where the test is implemented that checks whether the request falls into the "image site" category) and check whether the following condition is true: is containing document's URL (as seen in content policy) protocol in [imap, pop3, news, localmail] and ( user allows any mailnews triggered content loading or user allows "mailnews triggered fetching" from requested site {if unknown prompt user} ) Re the target network protocol, I'd not make a difference between protocols, and not even allow file://, because that could confuse users when an email shows them their local system configuration files in an IFRAME etc.
In a perfect world, one message would not even be able to load content from a different message. A message should be able to load content from the same message (using multipart/related)
Checking stylesheets and javascript files would probably help solving at least part of bug 53968 (where's the related bugs field...)
Blocks: 108004
Blocks: 31907
I am making progress on bug 108153, which is another workaround for this bug.
Adding CC.
Target Milestone: mozilla0.9.9 → mozilla1.0.1
Keywords: mozilla1.0+
Keywords: mozilla1.0
Is this bug truly blocked by bug 37983? Dylan, how's it going for 1.0? /be
Ok, here's where I'm at. I know roughly where mailnews decides to parse, thanks to the patch where it completely disables HTML. At that point I need to put in a decision (based on a user pref) whether our policy on parsing the HTML in the email is NO REMOTE or REMOTE ALLOWED. Mike S. sent me a description: "- you need to implement nsIContentPolicy and register your implementation (http://off.net/~shaver/content-policy.html has some tips, and I think it's still largely correct). - your content policy implementation needs to make its shouldLoad decision based on the prefs you mention" From there it's a matter of testing. So the big hurdle is wether or not I can quickly write the code which makes the load decision. I can make a whitelist of allowed protocols for each path and parse the decision on based on that, but the actual description isn't clear enough to me (with my level of exprience with Mozilla). I was going to spend next week going over the bits I can do easily first.
> I know roughly where mailnews decides to parse, thanks to the patch where it > completely disables HTML. At that point I need to put in a decision (based on a > user pref) whether our policy on parsing the HTML in the email is NO REMOTE or > REMOTE ALLOWED. If you mean my patch for bug 30888, that is not the normal HTML parsing. Normally, libmime just parses MIME stuff and writes HTML content directly (unchecked) into the result stream. That result stream is rendered in the msg pane, leaving it up to Gecko to sort it all out.
I have a suggestion on how this feature could be implemented. Basicly, you just implement a set of preferences similar to the existing prefs under privacy-images with the folowing items: a set of radio buttons that read 1.Do not load any external content for emails 2.Do not load external content for emails except when the user accepts the server 3.Accept all external content for emails Option 1 would never load external content Option 2 would basicly pop up a box everytime a HTML email with external content was loaded and say "do you wish to block this external content" and it would add the domain name to a blacklist that could be edited with some kind of blocker Option 3 would always show external content As to what option to make the default, I dont know.
I'd prefer an additional choice of "Always ask".
Probably for the 1000th time, but I'm going to add it to this way too long comment list anyway. I recently switched to Mozilla for e-mail and really don't want to change back, but this issue forces me to do so. In my opinion there's no way to separate good HTML mail from bad. Instead of thinking out and planning for very complex and flexible solutions, why not simply add a preference that disables *any* HTML rendering of email by default (by displaying the text alternate or HTML source). And provide an option to show a selected/opened message with HTML rendering on. This would be easy to implement, can default to current behaviour, solves the issue for me (and others) while better ways to restrict HTML rendering can be implemented. Please don't get mad at me for repeating what others have said already, but I didn't read any objections to a solution like this. This feature would also be usefull for other situations which would not be handled by restricting connections or certain HTML tags. On the subject of using third party software to block connections made by the mailreader: My firewall can't distinguish if the connection is comming from the browser component or the mail component because the executable is 'Mozilla.exe' in both cases. This also has reverse affect allowing the browser component to connect to my POP server.
bvr: I want html rendering but no server hits (other than my mail server to download the mail) to read mail (privacy, spam prevention). That's what this bug is about. It's not a problem of html mail but of html mail with links to external resources.
> why not simply add a preference that disables *any* HTML rendering of email by default I said it above already, but some people obviously missed it: That's what bug 30888 implements. Patch is waiting for review.
Sorry that this won't be in 1.0, but it's actually a lot harder than I thought it'd be to fix :) I'm learning XPCOM based around what Mike Shaver's told me of how to tackle it, but I'm finding that the other examples of the nsISupports through the code (for other security things) are inconsistent at best (some have bitrotted away, the entire security setup needs a review by someone who knows more about it). If you know anything or can help, please pitch in.
*** Bug 135298 has been marked as a duplicate of this bug. ***
FYI: bug 108153 and bug 30888 (which both provide a workaround for this bug) have been check into the trunk (not the 1.0 branch yet). See <http://bugzilla.mozilla.org/show_bug.cgi?id=30888#c169>.
*** Bug 138151 has been marked as a duplicate of this bug. ***
Blocks: 138249
*** Bug 139743 has been marked as a duplicate of this bug. ***
*** Bug 141012 has been marked as a duplicate of this bug. ***
*** Bug 141559 has been marked as a duplicate of this bug. ***
*** Bug 141774 has been marked as a duplicate of this bug. ***
I think a whitelist/blacklist is unlikely to be too useful to the average user without associated button(s) to allow/block image load for a given message. I'm of the opinion that the blacklist should default to *, too - but that would require something to confront the user and explain, and I'm not sure that's a good thing. The idea of just going "offline" is all well and good... for POP3 mail. A bit of a pain for IMAP. I'd be inclined to suggest blocking all images by default, with an icon/button to enable image loading for (1)this message (2) all messages From: this sender and adding a prefs dialog option to change the default from block all to allow all. Perhaps (dreaming, here) even block all except x (intranet, etc) as per whitelist/blacklist suggestions in this thread. The question is, can this be made user-friendly enough? I think it _has_ to be implemented one way or another. I read the Postmaster account from Mozilla, and the amount of bugged spam is nothing short of astonishing.
If we are reading IMAP mail we already know the server's name, and the same with POP. Is it really that hard to disallow the initiation of any network activity whatsoever from within a mail message EXCEPT to the mail server?
The solution is as follows: The HTTP getremote functionality checks if it's being called from an HTML document (which succeeds, although things like referrer are striped from file:// base docs), or from mail (which will be blocked by default; else allow if pref is set to allow remote content in email). I've been too busy with RL happenings (most importantly finding work) to sit down and figure out how to modify the content policy handlers. Once that's done it's a small amount of work for a UI dialog in prefs and testing.
*** Bug 144781 has been marked as a duplicate of this bug. ***
Spammers are making major use of this loophole. I strongly urge that outgoing network activity based on the act of reading email require explicit user authorization.
Bryce: If you select View -> Message Body As -> Simple HTML, then there're no server hits.
Alex, and where exactly is that option? I'm using RC2, and see nothing like that.
It's in the nightlies. But that setting doesn't stick between sessions.
Alex, "View as Simple HTML" is nice, but not nearly good enough. On some messages neither "as Simple HTML", nor "as plain text" show me anything at all, while the message is still entirely self-contained and can be viewed properly w/o any server hits! In other words, I do want "complex" HTML, I just want it to only use the content that's already available in the message itself.
Mikhail: As Torgeir mentioned, the option is in the nightlies, which you can download here: http://ftp.mozilla.org/pub/mozilla/nightly/latest/ Torgeir: At least with 2002051604 (on Win2k), the setting seems to be persistent for me :-/. Aleksey: I'm not proposing that "Simple HTML" is the solution to this bug, merely a workaround until it's fully completed :).
I'd like "complex html", as long as all the content & images are contained within the message. It's also critical that it be easy to say "this one's fine --- let it load images". The issue is broader than HTML. I'd like Mozilla to promise me that reading email is a fully private activity, resulting in no network activity. Any activity (return receipts, url loading, etc) should require my permission. -BN I'd also like to be able to mark spam as read without reading it, but that's a seperate matter.
Can't this get put at a much lower level within the codebase? If the rule is that mailnews can only talk to it's mailserver, can't a block be put at the network layer? In one swell foop, you'd block (or catch) all the cases with potential privacy violations. There are lots of ways to violate privacy based on rich email. Cookies for example ( Bug #22994 ), or images ( Bug #144781 ). With a network layer block, you don't have to think of all of them in advance.
"<i>can't a block be put at the network layer?</i>" It can. That's precisely what I want to have, and am working on, for the patch. However, the XPCOM stuff which lets you define the methods for doing the boolean decision about if something is OK to load or not from context info (in this case, the context is loading from mail/news area) is a bit beyond my current abilities, plus I've been going through a job situation -- thus the slowness of my patch to come out.
Mass removing self from CC list.
Now I feel sumb because I have to add back. Sorry for the spam.
*** Bug 148386 has been marked as a duplicate of this bug. ***
*** Bug 148859 has been marked as a duplicate of this bug. ***
*** Bug 151017 has been marked as a duplicate of this bug. ***
Spammers are sending out things like the following. The image, of course, is too small to be seen. I deleted the spam domain and my email address from the snippet below. <p>Hi, did you receive my previous email message?</p> <p>I sent it 2 weeks ago, but I&nbsp;still didn't get an answer, please check in your old email.</p> <p>Anyway, I'll send you another copy tomorrow or the day after, you don't need to reply to this email.</p> <p><img src="http://[SPAM DOMAIN DELETED]/w.cgi?email=[MY EMAIL DELETED]" border="0"></p> <p>Regards,</p> <p>John Laplace</p>
waldemar: So, for that, you just turn off images in MailNews, eh? (see also bug 97055) And, I realize that bug 97055 only covers a subset of this bug, but it helps.
Waldemar: what is your point in comment 197? That's what started this bug.
Blocks: 158464
*** Bug 159151 has been marked as a duplicate of this bug. ***
Alias: ImgInMail
Looks like we will miss the target milestone. pi
Could someone please remove supradave@earthlink.net from the maillist to this bug. I haven't wanted to submit a bug about it, but I keep getting mail about it and I don't know about or how to fix it. Thanks, Dave
sincere apologies for spam, but just so everyone knows that Dave's had a reply... Dave - you're getting mail about this bug because you've voted for it. Go to the bugzilla page, and in the page footer, you'll see a link that says "My votes". Follow that link, uncheck the box next to this bug, and click the "change votes" button.
Blocks: majorbugs
FYI: even with "cookies off in mail&news" cookies are enabled...:( set Mozilla to "dont accept cookies" in Mozilla Mail set Mozilla to "dont show remote images" in Mozilla Mail set Mozilla to show "original HTML" now send a mail to browserspyhtmlmail@gemal.dk read the reply mail that comes back now check your cookies in the Cookie manager. A cookie from gemal.dk is now present! that bug 168258
*** Bug 168174 has been marked as a duplicate of this bug. ***
I removed myself from this bug but it keeps emailing me... Re-adding myself and removing myself again...
*** Bug 176165 has been marked as a duplicate of this bug. ***
According to http://www.msnbc.com/news/829223.asp?0si=- next Outlook will have this feature enabled by default.
With the additions of "do not load remote images in mail & newsgroups" and "enable plugins for mail & newsgroups" (bug 147877), and "disable cookies in mail & newsgroups" -- what else is there to be fixed before we close this bug? The only thing I can think of is defaulting with these settings to be secure, and maybe adding them to a global section of the security tab in mail/news preferences. Comments?
dylang, I think comment #5 pretty much sums it up. It's one thing to block images, plugins, and cookies, but quite another to block all network activity originating from an email message. That would be far more secure. For example, what about frames or iframes? What if a spammer includes a stylesheet that points to a CGI? What about prefetching? What about shortcut icons? And the list goes on. :-) I think a block at the network layer *does* make sense...
I suppose as long as the correct combination of those preferences can absolutely guarantee that no network activity will be initiated by reading a mail message, then it's all covered. If, however, there is any way to trigger network activity without explicit user input, then this has not been fixed in a satisfactory manner.
Jerry, as has been pointed out previously, they cannot. And even if they could it would be good to have a main switch on the network level.
FYI: As the summary indicates, this bug has always been intended by me (the reporter) to include *any* possibility of network activity, not just images. See commment 25.
I'd like to make a radical, and possibly impractical, suggestion. If you're considering a network-level switch to fix this bug, why not fully separate MailNews's network-level status? There are certainly times of slow connection when I'd want my browser online but my mailNews offline - then I can browse, delete, etc. my mail at local speeds but still get online data in the browser. [Of course, that solution would require a real, working offline mail client. Bugs like <A HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=67172">67172</a> would become more pressing]
Impractical, yes :)
The optimal solution I've alsayws wanted in a hook in network code. Right now Mozilla, at the network level, will not fill out the HTTP request structure the same way if it's in the mail/news area (because we don't want to leak the specific message, etc, to a remote server via referrer). Extending this to simply ignore all network activity if origin is mail/news shouldn't be too hard, it's just that I haven't had time to fully go through all the code (there is a lot :-/) to make sure that such an idea wouldn't lead to new bugs elsewhere. The offline solution isn't applicable to people using IMAP (myself, others), because IMAP has to be online to look at new messages if you don't have your brower set to autodownload messages (the default). I look at my mailbox from many locations, and value the online features :)
If somehow the Mail/News reader would be running NOT as Mozilla.exe it would be possible to solve this whole problem with a firewall or IP filter by disabling all outgoing communication (or making different rules for it). However, as comment 168 says, currently it is not possible to distinguish between the Mozilla Mail/News reader and the browser (both identified as application Mozilla.exe). Wouldn't it be easier to do this as a preliminary solution? I know that under Windooze it would certainly solve my problem. Under Linux however, I did not find such a personal firewall/IP filter, which can do IP filtering by application.
Did this make it in 1.0.1? If not target should be updated.
*** Bug 181338 has been marked as a duplicate of this bug. ***
Isn't this a preference now? In Privacy > Images preferences, I see a preference that prevents remote images from loading in Mail/News. This build is 2002123108 on Win XP Home SP1.
Brant: Not exactly. CSS files, for example, could act as a unique identifier (see also comment #29). PS Be sure to add yourself to the CC list on bugs, otherwise might might not receive any of the responses ;).
Re: comment #220 Also, ideally we would want to allow loading images that are included in the message itself, and only prohibit loading *external* images (while the current preference, as I understand, would prohibit any kind of images). And see also comment #210.
Aleksey: I think the current pref already does that. That's what "remote" is there for in "Do not load remote images in Mail & Newsgroups", right? :-)
I've just made the bug #187984, that is like to be a duplicate of this one. I think that loading remote contents without the user being informed about privacy risks is really a bad privacy issue. A warning similar to the one that appear posting form data would be apreciated. A bettere idea, allowing the user to select if any remote contents should be loaded or not. Try the http://www.readnotify.com/, that sell a service of mail tracking, that use remote contents loading to collect a lot of informations about the mail and the recipients. Isn't it a very nasty service? :)
*** Bug 187984 has been marked as a duplicate of this bug. ***
*** Bug 188235 has been marked as a duplicate of this bug. ***
bringing over some comment from sfraser's duplicate bug: sfraser writes: Currently, viewing a mail message can fire off remote loads for images (controllable via a pref), iframe contents, style sheets, and other stuff. Not only is this a security issue, it's also a privacy issue: spammers can use weblogs, or FTP images requests, to gain information on when a mail message was viewed, and from what IP address. Image requests may even reveal your email addresss (depending on pref settings). I think mail needs an option, defaulting to _on_, to turn off loading of all remote content in mail. Only display what is contained in the mail message, and nothing more. clearing the target milestone. dylang, is this still on your radar?
Target Milestone: mozilla1.0.1 → ---
Would this cheap short term solution work: If we flag the message as spam (by our spam detection code) then when the user try to display it, only display as plain text? Should be pretty cheap to add that. I think Seth mentioned to me the other day that he wants to disable images for messages that are marked as spam as well.
If this bug is to be fixed even when JavaScript is enabled in mail messages, it depends on bug 65224.
I agree with Simon's suggestion. Give the user an option to not access non-local content, of any kind, without explict permission. I don't think that spam-detection is sufficient. Mozilla can put a box in the message header area that the user can click in order to load the non-local content. This will make it easy for the user to determine if the message is spam.
Note that for this purpose, "local" must include mail on the IMAP server configured for the account.
That's true. Local perhaps should mean "under the user's control". A remote mounted home directory, for example.
In addition to #227 from Seth Spitzer: I agree to it's suggestion, I think it would be necessary to add such a feature. I could imagine that this feature could work like the "Cookie Manager" with same options: either ask at every mail which wants to load remote content or define locations that will be allowed to load remote content from. Of cause allowing or denying loading all remote content should be possible as well.
There is an a partof a message sent my by the Readnotify service: <IMG SRC="http://www.dvvorzk66t4nx8.ReadNotify.com/nocache.pl/dvvorzk66t4nx9/footer0.gif" border=0 height=1 width=1 alt=""> <iframe width=1 height=1 src="http://www.dvvorzk66t4nxo.ReadNotify.com/iframe.asp?dvvorzk66t4nxp=2" frameborder=0 STYLE="width: 0; height: 0px; border:0px"></iframe><table height=1 width=1 border=0><tr><td background="gopher://gopher.dvvorzk66t4nxy.ReadNotify.com/gb.dvvorzk66t4nxz.gif"></td></tr></table> as you can see, they try to load many types contents using different protocols (also the gopher) The mail tag-id are embedded in may part of the url (also in the server address...) Now, I'm going to post an attachment with informations collected about that mail by the read notify service .
Original informations included also a map of the recipient possible location, detected using the IP used for loading remote contents.
tv@beamnet.de wrote me: > Just for the sake of couriosity: Do you know what happends when you > select the various "view/message body" options? > This might be of interest to other people subscribed to the bug, too, > but I thought I'd ask privately to not generate too much noise. This is a VERY interesting question. If you select plain/text or simple HTML remote contents of the message sent me using Readnotify service (containing remote img iframe and table's BG) are not loaded at all. I'm sure about that because I opened a tracked mail and the tracking system was not aware of that. I guess that also other type of remote contents (using any HTML tag that allow it and any protocol) should not be loaded.
Yep, Simple HTML (aka Sanitized HTML) and Plain Text are designed to strip away all references to remote content.
I've been using Simple HTML, and it seems to do the trick. It would just be nice to have a convenient way to tell it to load all of the email's content. I could go up to the menu and enable full HTML, but then I have to remember to switch back when I'm done. Maybe a button in the headers.
Heh, I guess that's one reason for this article -- being able to read the original mail and all the local content in the original format without fear of triggering remote load.
midori@paipai.net -- we don't need examples of why this bug is bad. The fix to this bug is fairly logical. Go look at bug 83038. (On a side note: the fix for that bug originally was a blacklist of bad protocols instead of a whitelist of allowed, remote referrer protocols, and thus needs to be revistited by someone to be updated in a new bug) The fix is to simply to stick a new content-policy object in the chain when this pref is set, and that object can refuse to load all content with a protocol that isn't the same as the enclosing document (as Mike Shaver said in comment 151). It's all a matter of sitting down and figuring out exactly where (and a bit how) to implement nsIContentPolicy and shouldLoad. Having been through 3 jobs in the past 9 months hasn't sped up that part of my approach to this bug.
*** Bug 189806 has been marked as a duplicate of this bug. ***
Mail triage team: need info.
Whiteboard: [need info]
*** Bug 175258 has been marked as a duplicate of this bug. ***
So....., What's the official word on this bug? Is there a work around? I read the rest of the comments and there doesn't seem to be any. Telling, that this bug is over 3 years old now. Bet if outlook implemented this tomorrow, it would be in mozmail by the end of the week :) Anyway, I think giving the user the option to not load any remote items is a very important privacy feature. Suspect that not having this feature is contributing to the growing amount of spam I am receiving. Giving the high dup count and votes, I suspect a lot of people agree.
In mailnews, go View -> Message Body as -> Simple HTML Problem solved.
cool, thanks. Two things... (i) Maybe the View->"Message body as" option can be placed under Edit->Preferences->"Mail and News" somewhere; maybe under the "Message Display" property sheet. (ii) Why is this bug still open?
> (ii) Why is this bug still open? The "simple HTML" feature is _very_ far from what this bug requests. I want to be able to view _full_ HTML mail, with images, CSS, etc - but only when those images and CSS are included in the email and are not on a remote server. The "simple HTML" feature restricts _way_ too much.
(i) It must be easy to change. In prefs it would be too far away.
>Telling, that this bug is over 3 years old now. Bet if outlook implemented this >tomorrow, it would be in mozmail by the end of the week :) Evolution has implemented it, though.
>>Telling, that this bug is over 3 years old now. Bet if outlook implemented this >>tomorrow, it would be in mozmail by the end of the week :) >Evolution has implemented it, though. And KMail
*** Bug 204438 has been marked as a duplicate of this bug. ***
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
something that thunderbird and the trunk will want for 1.5 alpha. taking from dylang@thock.com, send me mail if have a patch started, and want this back.
Assignee: dylang → sspitzer
Status: ASSIGNED → NEW
Target Milestone: --- → mozilla1.5alpha
Will thunderbird run as a separate process? If it will, then it would be a pretty easy WORKAROUND to use a personal firewall to block all connections from the process other than to mailservers. Still, hope to see this soon!
Re: #254: This is why I currently use Mozilla for browsing only, and a different software (Netscape 4.x, actually) as a mail client. The mail client is configured to assume I use a proxy, and the provided proxy address is nonexistent. This way, all HTML connections resulting from mail-reading simply fail.
Tip: you could also use a second mozilla profile to do the same thing. Simply start mozilla with a command-line flag to select the correct profile for mail or www access. Easily incoporated into a toolbar link / shortcut / script or whatever your platform uses. IMHO, this is 99% fixed with the "enable plugins for mailnews" and "load remote images in mailnews" options.
Tal, Craig: Thanks for the workarounds. Craig's I think will mean that clicking on a link in an email won't work as it should; I'd hate that. How to enable bug 108153's workaround, as far as I can tell: posted to said bug.
Implemented Already!!? Has anyone here ever heard of the open source project called SquirrelMail? It is an IMAP web-based mail client. It is coded in PHP and usually runs on Apache with modPHP installed. Anyways, see http://www.squirrelmail.org/ The reason I bring this up is that the developers of SquirrelMail opted to (by default) block all images from a foreign server! Yes, all of them. There is actually a plugin that allows the administrator of the webmail to re-instate the ability to see these "unsafe images." The plugin is called "unsafe image rules." Deep link: http://www.squirrelmail.org/plugin_view.php?id=98 FOR THE WHOLE RESAON why anyone should care about this bug, or why the SquirrelMail people chose not to allow (by default) the viewing of any image from a foreign server, SEE THIS LINK! http://www.squirrelmail.org/wiki/en_US/UnsafeImages Okay, so there is a precedence for completely blocking every image in an e-mail that didn't come inside the e-mail! There is also a precedence for allowing a user to selectively reinstate the normal image view of HTML mail. You would probably guess that most users were pretty disappointed when these "usafe images" were being blocked. But for some of us who *do* receive a lot of SPAM, I actually preferred viewing my mail with the SquirrelMail interface until I came across something I needed to see from a legitamate source. Having the unsafe image RULES (via the plugin) makes this feature votable for Mozilla Mail! Or, "I wish Mozilla Mail did this, too."
*** Bug 210403 has been marked as a duplicate of this bug. ***
sliding out
Target Milestone: mozilla1.5alpha → mozilla1.5beta
*** Bug 212752 has been marked as a duplicate of this bug. ***
*** Bug 214046 has been marked as a duplicate of this bug. ***
IMHO the inevitable flexible solution is: Unique allowed-domains lists and proxy-setups for each email account. Within one process using one profile, you configure the browser's proxy, optionally override by a global default email proxy and allowed-domains, and optionally override proxy setup and allowed-domains on each email account. The allowed-domains is a domain list field similar to no-proxy-for but with a separate boolean to turn on or off use of this field. To access all domains from an email account: set the boolean false. To block all: set true (use list), but with empty list: none allowed. Behind a firewall, set true and list your own local domains as allowed (allow access by HTML-email to images, css, plugins... within your own network). I don't know the state of the javaScript-able proxy function in Moz, but provided such a user-configurable JS proxy function had access to whether the browser or an email account (and which email account) was triggering this particular DNS-to-IP resolution, then a user can code up the above effects (defer to different proxies appropriately, and enforce separate allowed-domain lists). That JS-proxy would be a minimum start giving much power long before any GUI need be conceived for this, similar in spirit to user prefs that don't have a GUI yet. Care needs to be taken so any IP caching is also separated or multi-layered, so previous browser hits don't "enable" HTML-email hits to the same site by skipping the JS-proxy based enforcement by virtue of already-cached (or simply provide option to disable IP-cache use from all HTML-email).
Don't you think it's easier to say, "the mail window wants to initiate a network request that didn't result from a user click -- is the request to the mail server? If not, block the request. Done."
I doubt that an allowed domain list is the solution for email problems, though it's ok for browser cookie settings. What makes me think this? Occasionally we're receiving Junk mails from one of our own domains. While browsing I'm actively requesting a certain domains content, reading mail makes me read what somebody else wants me to read. Allowed domain lists would be valid for known accounts *and* signed mails only, being somewhat more complicated than [reb at cypress-dot-com]s suggestion. Olaf
Olaf, (I'd hope that) The domain whitelist is for outbound targets, not for appearant E-Mail originators (as these can be forged, of course). I don't get that much spam that refers to images on my own webserver. Cheers Thomas
sorry, missed that. However, related to past comments, I'll second comment 247 for this bug: Show everything that is enclosed with the respective mail and prohibit any contact to any server outside, e.g. show full images and stylesheets as long as they are attached to the mail (plugins give another problem with that, but that has already been solved in one of the last years... :-) But then, viewing mails plain text only has saved me from reading dozens of viagra spams, so I currently don't really miss this feature :-) Olaf
I for one could really do with a domain whitelist, as I get automated emails that refer to images on our intranet webserver (and not having the images makes for a useless email).
*** Bug 218627 has been marked as a duplicate of this bug. ***
My comments as to the best way to handle this, although they could easily spill into seperate bugs: Make privacy the default. External objects do not load without user interaction. Allow selective loading, possibly via right click "Allow object to load." Allow full loading, either via right click, Load External Objects, or via chrome similar to the junk mail indication in thunderbird. Provide seperate toggles for previewing and opening a message, perhaps make privacy default for the preview pane, and default to allowing external objects when opening in a window. Provide sender and site whitelists and blacklists that take precidence regardless of the global privacy settings
*** Bug 229038 has been marked as a duplicate of this bug. ***
I joined the mozilla bugzilla group just for this one option. And then I found it! In 1.5 it is under [Preferences... -> Privacy_&_Security -> Images -> Do_not_load_remote_images_in_Mail_&_Newsgroup_messages]. I expected it to be under [Preferences... -> Mail_&_Newsgroups] or in the Server Settings in [Mail_&_Newsgroups_Account_Settings...]. Just an observation, not a complaint. Happy happy happy happy, Steve PS: When does this bug get closed out?
When it is possible to make Mozilla NEVER talk to any server except by explicit user action (e.g., clicking on a link). As it is images don't load, but you can do all kinds of other stuff instead.
FYI, current versions of Pegasus Mail also block images by default. His solution was to pop up a message saying "This web page has images, do you want to load them?" or something like that, with the option to either load or not load by default, and the option to disable the popup. If you choose to disable image loading, right-clicking on any message gives you the option to "Show Pictures (HTML)".
What about remote style sheets, flash, javascript, java applets, or anything else for that matter?
Any network connexion outside should be avoided inside a message. This shous include stylesheets and urls inside stylesheets. This could be implemented by filtering out urls outside the message own url. Mozilla-mail access mailboxes via urls like : mailbox://nobody@Local%20Folders/folder/message imap://user:password@imap.serveur.net/folder/message Or disallow any other protocols than mailbox: or imap: inside a mail message.
With 26 dupes, this bug needs a clearer summary. I'm appending "(disable remote content/web-bugs)", but feel free to change that to something easier to search. BTW, starting with WinXP SP2, this feature will included in Outlook Express. See http://www.pcmag.com/image_popup/0,3003,s=1841&iid=62601,00.asp Prog.
Summary: No server hits at HTML mailnews reading - privacy → No server hits at HTML mailnews reading - privacy (disable remote content/web-bugs)
*** Bug 232843 has been marked as a duplicate of this bug. ***
Perhaps this has been addressed in the 278 comments before mine... I am happy with the 'blocking of remote images in Mail' feature, but now I want to be able to UNBLOCK images in some emails. I don't see any easy way of doing that, other than allowing all remote images, then viewing the message, then blocking again. I would like to be able to permanently allow remote images in emails when the images are on certain servers. So in the Browser, I can BLOCK images from some servers. In Mail, I want to be able to ALLOW images from some servers, with the default being to deny. This would keep me safe from random spammers, but would allow me to view my HTML newsletters etc, once I had configured everything correctly.
Asking for blocking in 1.8a because this is a major privacy concern. pi
Flags: blocking1.8a?
No, given that bug 108153 (Simple HTML mode) is implemented, it isn't. One reason why I fixed that bug was that I wanted to fix this one (28327), and IMHO it did. That fix protects you not just from tracking, but also from the vast majority of potential security exploits and automatic viruses. I wonder if it's still valid at all, and if so, only in very few edge cases. Before you flame me, note that I am the original reporter of the bug. ;-)
(In reply to comment #281) > No, given that bug 108153 (Simple HTML mode) is implemented, it isn't. Simple HTML mode is not enough: a user might like to see HTML messages as intended by the author, but not trigger web bugs. If this feature is implemented, messages in which all the content is attached to the email using cid: URLs would display properly AND web bugs would be stopped. Using the Simple HTML feature means you can do only one of these at a time.
I agree with comment 282, simple HTML is a very nice feature (And I use it), but since Outlook has functionality for not giving away emailadresses (not downloading pictures, etc from remote locataions) one can expect a lot of companies to embed them in the message. In some cases I want the simple HTML (especially in the case of suspected SPAM), but most of the time I just want to be sure that my emailadress isn't given away, while I read the email with the layout as intended by the sender. My point is that these two issues (simple HMTL and No server hits) resolves two completely different problems. Simple HTML blocks content that doesn't generate a server hits and is required for proper displaying of the message.
(In reply to comment #280) I support pi as long as it doesn't get too long :-) > Asking for blocking in 1.8a because this is a major privacy concern. ... and security. I am talking about iframes. What about 1.7? Too late? The scenario in bug 64066 comment 31 already has happened! (which is a browser bug, so I was sent here) > spammer might just start attaching .au or .wav files to emails for this purpose? Please see: bug 191460 comment 24 and bug 191460 comment 84 - Virusmail executes embedded virus. (netsky.p@MM, W32/KLEZ.H@mm) (This is partly solved for Windows by bug 239160 and a MIME patch but the iframe problem still exists) bug 213280 - denial-of-service-attack using iframe & telnet-urls
This bug is not a security concern. It only blocks fetches to the *Internet*, it should not block fetches to msg parts, because e.g. inline image loads should continue to work. So, if there is a security problem, you can always exploit it by attaching the exploiting doc and refering to it with an appropriate URL - indeed, the worm described in bug 191460 does just that -, and this bug (28327) won't stop it by design. "Sanitzed HTML" did.
*** Bug 230274 has been marked as a duplicate of this bug. ***
I think the best solution was mentioned in Comment #150: Put mails in a sandbox and don't allow them to access anything outside of themself. For special cases there could be exceptions like Mails from foo@bar.com may access urls matching http://www.deadbeef.com/* ...
Flags: blocking1.8a? → blocking1.8a-
*** Bug 244593 has been marked as a duplicate of this bug. ***
I think fixing this will be easier and cleaner (at this point) for tbird. tbird has it's own content policy, see http://lxr.mozilla.org/mozilla/source/mailnews/base/src/nsMsgContentPolicy.cpp in the tbird ui, mscott has: privacy [ ] block loading of remote images in mail messages in 1.7 (so I assume trunk, too), we have: privacy and security images image accept policy [ ] do not load remote images in Mail & Newsgroup messages so for tbird, maybe this will be acceptable: 1) keep the pref name the same (mailnews.message_display.disable_remote_image) 2) but change the UI to be "block loading of remote content in mail messages" or "block loading of remote files in mail messages" 3) fix nsMsgContentPolicy::ShouldLoad() and maybe do: -else if (aContentType == nsIContentPolicy::TYPE_IMAGE) +else (or we might want this check for remote content before the check for plugins, as "don't load remote content" might take precendence over plugin content handling) note, I'm not sure if that will address the "don't load remote css problem" or the "don't load any iframes" problem. (see bug #243306) the reason, besides UI, why this is easier in tbird is we won't break browser as we have a separate policy in a separate app. let me attach the text of my conversation with bz for some background.
Status: NEW → ASSIGNED
here's a conversation I had about this with bz. <bz> So as far as blocking everything <bz> I'm looking at nsMsgContentPolicy::ShouldLoad <bz> It's a matter of replacing the line <bz> 124 else if (aContentType == nsIContentPolicy::TYPE_IMAGE) <bz> With the line <bz> 124 else <bz> I suspect that should be sufficient... <sspitzer> I'll look into that frame thing. <sspitzer> as remote iframes should be loaded in mail either. <bz> yeah <bz> Agreed. <bz> Iframes are TYPE_SUBDOCUMENT <bz> on trunk <bz> and SUBDOCUMENT on branch <sspitzer> you mean, add an else check for: nsIContentPolicy::TYPE_SUBDOCUMENT (like we have for nsIContentPolicy::TYPE_IMAGE) <bz> yeah <bz> Note that that won't block stylesheets... <sspitzer> don't we already block those? <bz> I would think we would want to apply the image pref to all content regardless of type <bz> Not that I'm aware of. <sspitzer> I think I was thinking of (Link: http://bugzilla.mozilla.org/show_bug.cgi?id=184948)http://bugzilla.mozilla.org/show_bug.cgi?id=184948 <sspitzer> what's the right way to block all remote content? <sspitzer> or is that not possible? <bz> well... <bz> just don't do a type check? <bz> Run the code that checks the scheme no matter what type the thing is?
Target Milestone: mozilla1.5beta → mozilla1.8beta
Here you can find a list of web bugs : http://www.freedom-to-tinker.com/archives/000610.html
*** Bug 256839 has been marked as a duplicate of this bug. ***
Even Outlook Express has fixed that issue in their latest release: Screenshot: http://microcephale.free.fr/priv/OEprivacy.PNG It is kinda trivial to block images AND other external content. Without blocking other content, the image blocking feature is totally and utterly useless.
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Flags: blocking1.8a4?
restoring aviary1.0 nomination, only project leaders can set blocking status.
Flags: blocking-aviary1.0+ → blocking-aviary1.0?
taking
Assignee: sspitzer → mscott
Status: ASSIGNED → NEW
*** Bug 248853 has been marked as a duplicate of this bug. ***
*** Bug 248857 has been marked as a duplicate of this bug. ***
*** Bug 259091 has been marked as a duplicate of this bug. ***
Flags: blocking1.8a4? → blocking1.8a4-
Flags: blocking-aviary1.0? → blocking-aviary1.0+
*** Bug 260962 has been marked as a duplicate of this bug. ***
Attached patch the fixSplinter Review
this may be too agressive. Testing will let us know for sure. I may also change the string text to refer to remote content instead of remote images in the UI.
> this may be too agressive. Testing will let us know for sure. Doesn't it affect Thunderbird RSS reader? It generate e-mails with iframe loading the remote article.
(In reply to comment #301) > > this may be too agressive. Testing will let us know for sure. > > Doesn't it affect Thunderbird RSS reader? > It generate e-mails with iframe loading the remote article. Yes, this bug by design will break these messages, and I see no way around it. IMHO, the RSS reader should be changed in some way (need to figure out how).
No this change has no effect on Thunderbird's built in RSS reader. Things will still load fine for RSS folders.
Flags: blocking1.8a1-
*** Bug 261520 has been marked as a duplicate of this bug. ***
I checked this into the branch and the trunk last week and so far I haven't gotten any complaints about it being too aggressive yet. I may end up changing the string we show in the UI down the line but I'm not going to keep this bug open just for that issue. Also need to do some further testing to see if the remote style sheet code calls through the content policy manager...
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed-aviary1.0
Resolution: --- → FIXED
This is not blocking iframes on the trunk (2004101505), but is working for thunderbird (20041009). I double-checked that the patch here was checked into the trunk, why wouldn't it work there?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I should also note that it looks like nsMsgContentPolicy is explicitly blocking ftp, http, and https only. Not gopher (found "in the wild", see comment 234) or any other scheme that might be supported by us or the OS. A scheme that opened a new window, like an external app or one of the news protocols, wouldn't be useful as a commercial web-bug, but a one-off snoop attack where you don't care if the recipient knows that you know could still succeed.
*** Bug 264828 has been marked as a duplicate of this bug. ***
*** Bug 265296 has been marked as a duplicate of this bug. ***
*** Bug 266462 has been marked as a duplicate of this bug. ***
(In reply to comment #305) > I may end up changing the string we show in the UI down the line but I'm not > going to keep this bug open just for that issue. Bug 266503 opened for the UI update. > Also need to do some further testing to see if the remote style sheet code > calls through the content policy manager... Apparently it does not; I've tested, and remote style sheets (via <link>) are still loaded with TB version 0.8+ (20041028), Win2K. However, as noted in comment 306, the <iframe> tag is being blocked with TB; but not for MailNews 1.8a5-1019. How is it that the patch was checked into the trunk with neither review nor superreview?
*** Bug 260039 has been marked as a duplicate of this bug. ***
This is possibly the subject of Secunia advisory SA13086: "Mozilla 1.7.3 / Thunderbird 0.8 Valid Email Address Enumeration Weakness" http://secunia.com/advisories/13086/ Adding blurb to help catch duplicate filings.
(In reply to comment #311) > Apparently it does not; I've tested, and remote style sheets (via <link>) are > still loaded with TB version 0.8+ (20041028), Win2K. I can't confirm this for TB 0.9final, Win2K. The remote stylesheet is not loaded before clicking on the "Show Images" button (ensured via Ethereal).
(In reply to comment #315) > I can't confirm this for TB 0.9final, Win2K. The remote stylesheet is not > loaded before clicking on the "Show Images" button (ensured via Ethereal). In TB 0.9, I see that also.
Product: MailNews → Core
Blocks: 239954
If it was good enough to block aviary 1.0, it is good enough for 1.1.
Flags: blocking-aviary1.1?
Blocks: 278176
bug 274866 made the pref to block images in mailnewd (for seamonkey) to block all remote content, the same way as thunderbird does it.
(In reply to comment #318) > bug 274866 made the pref to block images in mailnewd (for seamonkey) to block > all remote content, the same way as thunderbird does it. I reopened this because of the suite. If that's being handled elsewhere then this can get re-closed.
Status: REOPENED → RESOLVED
Closed: 21 years ago20 years ago
Resolution: --- → FIXED
It would be useful if someone explained how to use it. Is there UI for this? If not it won't be available to most users. pi
Just set the good old pref to not show images in mailnews. (like i tried to say in comment 318 (there are too many comments here)) Bug 287672 is about fixing the wording of the pref panel text.
Flags: blocking-aviary1.1?
No longer blocks: majorbugs
(In reply to comment #319) > (In reply to comment #318) > > bug 274866 made the pref to block images in mailnewd (for seamonkey) to block > > all remote content, the same way as thunderbird does it. > > I reopened this because of the suite. If that's being handled elsewhere then > this can get re-closed. Was this handled elsewhere? I didn't see it anywhere, yet this was closed. Thanks.
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: