Closed Bug 626988 Opened 13 years ago Closed 8 years ago

In some messages, it is not possible to revoke remote image permissions.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: M8R-l20ep6, Unassigned)

Details

(Whiteboard: dupme?)

Attachments

(1 file, 1 obsolete file)

WIP 2
3.81 KB, patch
Paenglab
: feedback+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)
Build Identifier: 3.1.7

When permission is given by the user to view remote content, the address is often not added to the address book (with "allow remote content") checked.  Therefore, it often is not possible to revoke this permission at a later time.

Reproducible: Sometimes

Steps to Reproduce:
1. Select a message that displays third-party images.
2. Click the button to allow Thunderbird to display the third-party images - they are then displayed.
3. The sender's address is *not* added to the address book with the "allow remote content" checkbox checked.
Actual Results:  
Since the sender does not appear in the address book, it is no longer possible to revoke the "remote content" - a potential privacy concern.

Expected Results:  
The sender's address should always be added to the address book with the "allow remote content" checkbox selected upon viewing remote content.

Revoking remote content for a sender should just then be a simple case of deselecting "allow remote content".

I have checked when testing that messages do indeed contain third-party images (and not attachments).

mailnews.message_display.disable_remote_image = true

Using XP Home, SP 3.
Whiteboard: dupme?
The problem is persisting.

I had an e-mail today which contains remote images.  I gave Thunderbird permission to view remote images and they were displayed.

I would now like Thunderbird not to display remote images for this e-mail.  However, the sender's e-mail address was not added to the address book.  So I can't go to the sender in the address book and deselect "Allow remote content".

Has anyone else been able to reproduce this issue?  If this bug has already been reported, could you please advise of the bug number, as I have been unable to find a report of this exact problem?
If you click the allow remote images button, then that is a one-off allow for the specific email. There's no easy undo for this within in Thunderbird.

Allowing remote content for the sender is something different and is obviously based on the sender and not per-message.

I'm not really sure what the use-case is for undoing the allow remote images option - at the point you enable it, you've already allowed the remote images load and a "phone home" if there's tracking in place.
(In reply to comment #2)
> If you click the allow remote images button, then that is a one-off allow for
> the specific email. There's no easy undo for this within in Thunderbird.
> 
> Allowing remote content for the sender is something different and is obviously
> based on the sender and not per-message.
> 
> I'm not really sure what the use-case is for undoing the allow remote images
> option - at the point you enable it, you've already allowed the remote images
> load and a "phone home" if there's tracking in place.

Many thanks for your explanation.

However, I still feel there should be an option to "undo" the "Allow Remote Content".  For example, sometimes it is possible to accidentally click the button, or maybe it was clicked intentionally but the user then decides they don't want/need to see the extra images etc.  At this point there is no way to undo the operation.

Having an option to easily allow the user to enable/disable remote content for a message as required would give the user control over this and provide for a better e-mail viewing/management experience.
(In reply to comment #2)

> I'm not really sure what the use-case is for undoing the allow remote images
> option - at the point you enable it, you've already allowed the remote
> images load and a "phone home" if there's tracking in place.

My particular use case: I wish to specify a 0 MB disk cache for TB. I see no need to keep copies of previously downloaded remote content on disk.  However, if I elect to live without cache, then any message that I've ever clicked "Show Remote Content" (either intentionally or inadvertently) will thereafter *always* get downloaded from the external source *every* time I open the message.  This is a ridiculously inefficient place to be, and AT&T is now doing it's best to discourage me from ending up in such a situation. :0

All I want to do is occasionally take a single peek at what I'm missing in the remote content for specific messages, after I'm assured by what I see in the text that the message is legitimate.  After that I want the content to just evaporate, and not be repeatedly downloaded forever and ever.

And I'm not sure that the whole purpose of the button is simply to avoid web beacons in legitimate messages.  There are much more serious critters that can be lurking in remote content, and this is my main reason for not enabling remote content to always be displayed.

So I think what's really being requested here is a pref to specify that "Show Remote Content" just be downloaded from the external source _without_ flagging the message file that this button has been pushed.  That way the first peek can still be the last peek.

Thanks for your consideration.
To clarify, I think that it's actually the .msf file for the corresponding folder that's being tagged with the flag that a particular message once had the "Show Remote Content" button clicked.

OP, if you are still monitoring this report, what you can do for an interim resolution for specific messages is to go into your Mail folder in your TB profile and rename or delete the *.msf file that resides in the folder where your message is stored in the GUI.  This will affect all messages in the folder, and not only will they all lose their previous associations with downloaded remote content (if any), but the folder itself will revert to the default views (sort order, threaded or not, etc.)  You can search the net for detailed instructions on how to locate your TB profile, Mail folder, and .msf file.
Thanks Peter for the info about the .msf file - very interesting to know.

Would be great though if Thunderbird provided an option to "undo" the "Allow Remote Content" for a message via the user interface.
Here's a great use case.

I recently received a malware e-mail that looked legitimate, so I allowed remote content.
Which is fine, but then I find the .zip file contained an .exe. It would be very good if said malware can't track when I view its e-mails.
Here's another. I get a mail (from a financial site) and I tell Thunderbird to load the images. No change. So I view the source, it's a 1x1px tracking gif.
I got this problem too, thanks for the workaround, deleting .msf files worked.
After deletion, Thunderbird had to download a lot of email content from Gmail.
Now, I will never use again the "Show remote content in the message" choice from "Preferences" button because it flags the message to load content every time you open the message, which means possible tracking: every time you read the message, it sends an HTTP request and a server will get you IP address and approximate location. Now I will also use a VPN (OpenVPN Access Server) that I have set up on a VPS server.
If you want to see remote content, choose instead "Allow remote remote content for <email_address>" or "Allow remote content for <domain_name>". This way, you can revoke your choices in Thunderbird "Preferences" -> "Privacy" -> Mail Content "Exceptions".
The GUI problem is still here and should be fixed after 5 years soon.
Like Peter said, the "Show remote content in the message" choice should not flag the message to always load content from the message but instead it should be a temporary choice when the mail is open.
If developers do not choose a temporary solution, it should be a revocable choice because in the future we may want to read this email again without the remote content.
I just inadvertently clicked on "Show remote content in the message" on a message so I though I will have to delete .msf file again and wait for the content to be downloaded.
I tried to delete the message and then restore it from the trash, maybe it would reset the remote content flag on the message but it did not work.
But I found a way to delete and restore the message so it will reset the flag, it's weird and looks like a hack but all I had to do is drag and drop the message in the trash and then move it again (with a drag and drop or not this time) in the inbox. If the remote content doesn't get blocked, try a drag and drop in the draft folder, in my case Gmail didn't allowed this operation and sent back the message to the inbox and the remote content was blocked.
I'm using Thunderbird 31.8.0 on Linux (Xubuntu). I hope this hack will still work in future versions, until there is a real solution to the problem.
Here is another use case : I want to print an HTML email.  I allow remote content in order to see if images are worth being printed.  It appears they're not (actually they completely break the printing, but anyway).  Now there seems to be no way to print the text-only email.

Workaround suggested in comment 10 doesn't work for me (Thunderbird 31.7.0 under Debian Sid).
Glad to have found this bug, this is still an issue in Win 7, TB 51a.

1) Obviously the one-off allow is stored in the .msf file (why so?), where that may be an .msf file per subfolder (Skippy ^ comment 10?), if created. Just restarting TB does not revoke it, and no visible exception is created anywhere.

2) Another thing of concern: why is remote content allowed and remembered in such case even though Connection settings may have been set to NOT allow web content at all? Are they simply overruled by this one-time action? The same applies to allowing per domain or email addresses (i.e. when creating exceptions.)

I think both issues are serious enough to get fixed. The second one could be considered a security issue for average users. I assume that requires a new bug?
Component: Message Reader UI → Security
I think the remote content exception for a particular message is set at https://dxr.mozilla.org/comm-central/rev/70de4f4f7c99060bc25a5fe8e76e5b3f74e9984d/mail/base/content/mailWindowOverlay.js#3196 . It seems we could also store kBlockRemoteContent value or reset the value to 'unset'. But we'd need some clever UI for where to put this item. I think once you click "allow remote content for this message" menuitem, the whole notification bar goes away so you can't put a "Disallow" menuitem in the same menu.

Maybe we could detect if a message has this preference set and show the notification but only with this new "disallow" option?
I think we should just wontfix this. 

I don't see any good reason you'd want to disallow it again after loading it once. And to put the sender in the addressbook, just do that next time... if you really want to set a pref for him. 

We don't want to pollute each message with a bar with such options.
Not each message, only those that have this particular header set.
Attached patch disallowRemote (obsolete) — Splinter Review 
Something like this.
Attachment #8812359 - Flags: feedback?(tonnes.mb)
Attachment #8812359 - Flags: feedback?(richard.marti)
Attachment #8812359 - Flags: feedback?(mkmelin+mozilla)
Comment on attachment 8812359 [details] [diff] [review]
disallowRemote

I'm with Magnus. We shouldn't almost always show a notification bar for messages with remote content, if it's either to allow or disallow the content.

As a compromise, how about add a entry in the "More" button menu? Here we have other per message options and is available without cluttering the message display with a bar. This option is (normally) seldom used to be shown such prominent.
Attachment #8812359 - Flags: feedback?(richard.marti) → feedback-
Attachment #8812359 - Attachment is patch: true
Comment on attachment 8812359 [details] [diff] [review]
disallowRemote

Review of attachment 8812359 [details] [diff] [review]:
-----------------------------------------------------------------

I just don't see this as a use case core needs to support.
Attachment #8812359 - Flags: feedback?(mkmelin+mozilla) → feedback-
(In reply to Ton from comment #11)
If you don't want images, just use View | Message Body As | Simple HTML.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
That's fine with me, I just asked for a place to put this item.

(In reply to Magnus Melin from comment #14)
> I don't see any good reason you'd want to disallow it again after loading it
> once.

If only out of principle, we should allow removing settings that we allowed to set. If the users resort to the extreme of killing the msf just for removing the header, there seems to be a reason/use for this.

> And to put the sender in the addressbook, just do that next time... if
> you really want to set a pref for him. 


> We don't want to pollute each message with a bar with such options.

I agree if there is a better place.
(In reply to Magnus Melin from comment #19)
> (In reply to Ton from comment #11)
> If you don't want images, just use View | Message Body As | Simple HTML.

But that is another extreme as it hides images in all messages.
Well it's extreme to ever want to revoke the permission for the message. So why not leave it for an add-on?
Attached patch WIP 2Splinter Review 

        Attachment #8812359 -
        Attachment is obsolete: true

        Attachment #8812359 -
        Flags: feedback?(tonnes.mb)

        Attachment #8812425 -
        Flags: feedback?(richard.marti)

    
    

    
  
(In reply to Magnus Melin from comment #14)
> I think we should just wontfix this. 
> 
> I don't see any good reason you'd want to disallow it again after loading it
> once. And to put the sender in the addressbook, just do that next time... if
> you really want to set a pref for him. 
> 
> We don't want to pollute each message with a bar with such options.
(In reply to Magnus Melin from comment #19)
> (In reply to Ton from comment #11)
> If you don't want images, just use View | Message Body As | Simple HTML.

I very much disagree, as well as with wontfixing - obviously the issue is not clear. This is not about adding a pref per user, and "View > Message body as" is not an option and not even related. An add-on is not an option either, would complicate things and degrade TB. And it’s not extreme to ever revoke a one-off permission, even for one message. Please think about the average user, not me or ourselves.

Remote content is a serious issue and one that Thunderbird cares about, as you know. It has beautiful options to allow/block remote content based on domain or sender using the Permissions manager. Hence:

- Doing one-off allow for remote content should NOT override these options without EVER having a chance to revoke the permission in a regular way and leaving the user with the question how to undo this.
- Furthermore, this should NOT override any general connection settings, since Thunderbird should respect _any_ connection settings in general.

Technically this one-off allow can even be prone to errors/flaws. It also came up in the support forum for an issue where a user wasn’t able to load remote content at all. How to explain this "flaw" should cause them to load at all times, and to remove an .msf file to see what happens?

Allowing remote images once would be no issue as long as this happens only once, and is allowed by the connection settings at all. In other words, when selecting another message and reselecting the first, remote content should be hidden again, similar to what happens when removing a per domain or sender exception in Options and removing it. That means:

- The permission does not even need to be stored, and no additional buttons in the UI are needed. 
- It could even be considered to remove the "Show remote content in this message" option entirely, since the per sender/domain options are below them and DO get stored in the PM / Exceptions respectfully.

The sender/domain options were optimized after they were image-specific before, and in a way, one could say the one-off Allow could also have been removed at that time. Even if a user would like to block images by default using the PM but see them once, he would know he’d need to use the PM for it, unlike now.

Use case:
1. User (or administrator) has set up Thunderbird in a restricted way, i.e. remote content is blocked by default, connection settings use a proxy and there is no way to get around this in general. Even web content (What’s new or Get More Add-ons) may not work.
2. User opens up a monthly phone bill in Thunderbird, and for once, clicks Allow (in Options) for remote content.
3. A week later, user reads the phone company’s website was hacked, which reminds him to check the bill once more for some specific reason.
4. User starts Thunderbird and selects the email, same remote content is displayed automatically, though was replaced by other content, even overriding the tight connection settings.
5. Harm has been done, but user tries to undo this and can’ find the settings in PM, is getting in trouble, and may ditch TB.

Please don’t ask me where and how to implement this, but try to minimize to what’s needed (perhaps comparing to other clients’ behavior?), and with security and privacy in mind, honoring connection settings, and keeping things clear and simple for users.

    
    

    
  
Then how do you prevent downloading the compromised content in step 4? The user would have to reset the remote content permission without viewing the message first and do this for all messages from that source. That seems to be too much to ask users doing manually.

So the only usable solution seems to be that 'allow remote content' is temporary for the current message view, not to be stored for the message permanently.

    
    

    
  
Comment on attachment 8812425 [details] [diff] [review]
WIP 2

Now you need only to convince Magnus.

        Attachment #8812425 -
        Flags: feedback?(richard.marti) → feedback+

    
    

    
  
(In reply to :aceman from comment #25)
> 
> So the only usable solution seems to be that 'allow remote content' is
> temporary for the current message view, not to be stored for the message
> permanently.

Yes, this is the right way to do it, and what I do via extension - a one time user driven reload with images. The implementation of permanent url and mail based permissions makes storing a "remoteContentPolicy" value for the message in msf obsolete, so ui for its revocation is correctly wontfix.

    
    

    
  
So can you please adapt your solution for trunk? I can't see off-hand how the temporary solution would be done. It probably needs other backend support without using the existing header for this purpose.

    
    

    
  
(In reply to alta88 from comment #27)

> ...mail based permissions makes storing a "remoteContentPolicy" value for the
> message in msf obsolete, so ui for its revocation is correctly wontfix.

Despite some users asking for it, I think this bug is not about a UI change in particular, but removing the storage in the .msf would be a proper fix.

How to cope with honoring connection settings? Does it need a new bug?

    
    

    
  
i'm not inclined to spend time on this, and the way the extension does it isn't the right way for core to do it.  the extension sets remoteContentPolicy to 'allow', sets a once only flag, reloads the message, and on msg loaded sets the remoteContentPolicy back to 'disallow' if the once only flag was set.  a proper fix would adjust content policy and not use the property in msf at all.

user set offline (as opposed to no network) means checking Services.io.offline and doing nothing, there are probably numerous places that don't check.

    
    

    
  
One good fix with a lot of other perks included:

 - ensure all remote content is taken only(!) from cache on further loads
 - a reload (Ctrl + F5 style) of the message would reload message and cotent from server and the message would get the same blocking notification as it initially had when it was new

    
    

    
  
(In reply to Magnus Melin from comment #31)

Mr. Melin's proposed fix has the side effect of breaking dynamic content (eg: current weather in trip advisory email). Most of the time users do not want or need dynamic content, but Thunderbird should still allow for exceptions.

Also consider that Mr. Melin's proposed fix does not apply to Peter's use case (comment #4), where the user has specified a 0MB cache and sometimes wants to 'peek' at the images on particular email messages.

    
    

    
  
(In reply to Max Shen from comment #32)
> Also consider that Mr. Melin's proposed fix does not apply to Peter's use
> case (comment #4), where the user has specified a 0MB cache and sometimes
> wants to 'peek' at the images on particular email messages.

Nevermind about this one, the reload would take care of this use case. Although a manual reload is less intuitive than temporarily showing remote content (comment #25), I recognize that Paul's use case is a corner case and does necessarily warrant direct support by Thunderbird core.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: