[gaia e-mail] sanitizing web-bug images?
asutherland at asutherland.org
Wed Aug 15 06:53:39 UTC 2012
(I am posting to tb-planning as a proxy for the mozilla mailing list
relating to the e-mail problem domain)
The (gaia) e-mail client for Firefox OS sanitizes all HTML because it
can't use content policies to limit the capabilities of its iframe and
iframe sandbox directives.
context: HTML e-mails sometimes contain "web bugs" which are intended
to notify the sender of the e-mail when you have read the email by
causing your mail reader to trigger some type of network access that
they can detect. This is frequently done with 1x1 images. Other
possible tricks have included background sounds, and (I'm not sure
whether anyone ever really used this) relying on DNS prefetches (to
their DNS server).
Thunderbird blocks remote images and shows the "To protect your privacy,
Thunderbird has blocked remote content in this message." It does this
even in the case where the only images present are 1x1 web bugs.
The gaia e-mail client imminently does the same thing, but the cost of
showing the info-bar equivalent is much higher because screens on mobile
device are smaller. Also, the network traffic is potentially more
expensive to the user.
Since there is no real user benefit to the web bugs but definite privacy
costs (if loaded) and potential usability and network costs, it seems
reasonable to simply scrub the web-bugs from the HTML as part of the
sanitization process. (Also, it saves storage costs since sanitization
occurs during synchronization.)
The arguments against sanitizing the web bugs are (possible
interpretations of) user choice and game theory concerns that sanitizing
based on explicit sizing (width=1 height=1) could lead to an arms war.
I don't view the arms war as particularly concerning as e-mails can't
run JS, transitions/animations are also sanitized, the sanitizer has
access to a layout engine enabling it to determine visibility, and it is
generally believed that most e-mail clients have poor HTML support.
In terms of specific feedback I am looking for, I am primarily
interested in reasons why this would be a bad idea.
More information about the tb-planning