[gaia e-mail] sanitizing web-bug images?

Blake Winton bwinton at mozilla.com
Wed Aug 15 14:14:46 UTC 2012


On 15-08-12 2:53 , Andrew Sutherland wrote:
> (I am posting to tb-planning as a proxy for the mozilla mailing list 
> relating to the e-mail problem domain)
>
> The arguments against sanitizing the web bugs are (possible 
> interpretations of) user choice and game theory concerns that 
> sanitizing based on explicit sizing (width=1 height=1) could lead to 
> an arms war.  I don't view the arms war as particularly concerning as 
> e-mails can't run JS, transitions/animations are also sanitized, the 
> sanitizer has access to a layout engine enabling it to determine 
> visibility, and it is generally believed that most e-mail clients have 
> poor HTML support.
Another argument against is that B2G's email client wouldn't show up as 
highly in the rankings like this one 
<http://www.campaignmonitor.com/resources/will-it-work/email-clients/>, 
which seem to mostly be based on image loads.  (It's a minor point, and 
totally does not make it worth sacrificing user privacy, but I think 
it's worth mentioning.)

It would be nice to have better HTML support in email, but since email 
is push rather than pull, the security trade-offs should probably lean 
more towards safety than functionality.

I'm in favour of the idea.

Later,
Blake.

-- 
Blake Winton   Thunderbird User Experience Lead
bwinton at mozilla.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20120815/10639df6/attachment.html>


More information about the tb-planning mailing list