[gaia e-mail] sanitizing web-bug images?

Irving Reid irving at mozilla.com
Wed Aug 15 19:52:11 UTC 2012

Unfortunately it has become very common for commercial email to carry 
almost all of their content in images; so much so that the message is 
completely missing if the content is stripped. In my own experience, the 
email notifications I get for my phone bill, my cable bill and my 
frequent flier plan all do this.

Now on one level I deplore the practice, and I wish Mozilla would step 
up to publicly challenging the privacy implications of commercial 
emailers knowing when and where we read the email they send us. 
Unfortunately, we still need to provide our users with a decent 
experience, and for the time being that includes allowing them to view 
HTML email with images rendered. Sound and JS still should be blocked in 
my opinion.

  - irving -

On 12-08-15 2:53 AM, Andrew Sutherland wrote:
> (I am posting to tb-planning as a proxy for the mozilla mailing list
> relating to the e-mail problem domain)
> The (gaia) e-mail client for Firefox OS sanitizes all HTML because it
> can't use content policies to limit the capabilities of its iframe and
> iframe sandbox directives.
> context:  HTML e-mails sometimes contain "web bugs" which are intended
> to notify the sender of the e-mail when you have read the email by
> causing your mail reader to trigger some type of network access that
> they can detect.  This is frequently done with 1x1 images.  Other
> possible tricks have included background sounds, and (I'm not sure
> whether anyone ever really used this) relying on DNS prefetches (to
> their DNS server).

More information about the tb-planning mailing list