[gaia e-mail] sanitizing web-bug images?

Andrew Sutherland asutherland at asutherland.org
Wed Aug 15 06:53:39 UTC 2012


(I am posting to tb-planning as a proxy for the mozilla mailing list 
relating to the e-mail problem domain)

The (gaia) e-mail client for Firefox OS sanitizes all HTML because it 
can't use content policies to limit the capabilities of its iframe and 
iframe sandbox directives.

context:  HTML e-mails sometimes contain "web bugs" which are intended 
to notify the sender of the e-mail when you have read the email by 
causing your mail reader to trigger some type of network access that 
they can detect.  This is frequently done with 1x1 images.  Other 
possible tricks have included background sounds, and (I'm not sure 
whether anyone ever really used this) relying on DNS prefetches (to 
their DNS server).

Thunderbird blocks remote images and shows the "To protect your privacy, 
Thunderbird has blocked remote content in this message." It does this 
even in the case where the only images present are 1x1 web bugs.

The gaia e-mail client imminently does the same thing, but the cost of 
showing the info-bar equivalent is much higher because screens on mobile 
device are smaller.  Also, the network traffic is potentially more 
expensive to the user.

Since there is no real user benefit to the web bugs but definite privacy 
costs (if loaded) and potential usability and network costs, it seems 
reasonable to simply scrub the web-bugs from the HTML as part of the 
sanitization process.  (Also, it saves storage costs since sanitization 
occurs during synchronization.)

The arguments against sanitizing the web bugs are (possible 
interpretations of) user choice and game theory concerns that sanitizing 
based on explicit sizing (width=1 height=1) could lead to an arms war.  
I don't view the arms war as particularly concerning as e-mails can't 
run JS, transitions/animations are also sanitized, the sanitizer has 
access to a layout engine enabling it to determine visibility, and it is 
generally believed that most e-mail clients have poor HTML support.

In terms of specific feedback I am looking for, I am primarily 
interested in reasons why this would be a bad idea.

Andrew



More information about the tb-planning mailing list