[gaia e-mail] sanitizing web-bug images?
irving at mozilla.com
Wed Aug 15 19:52:11 UTC 2012
Unfortunately it has become very common for commercial email to carry
almost all of their content in images; so much so that the message is
completely missing if the content is stripped. In my own experience, the
email notifications I get for my phone bill, my cable bill and my
frequent flier plan all do this.
Now on one level I deplore the practice, and I wish Mozilla would step
up to publicly challenging the privacy implications of commercial
emailers knowing when and where we read the email they send us.
Unfortunately, we still need to provide our users with a decent
experience, and for the time being that includes allowing them to view
HTML email with images rendered. Sound and JS still should be blocked in
- irving -
On 12-08-15 2:53 AM, Andrew Sutherland wrote:
> (I am posting to tb-planning as a proxy for the mozilla mailing list
> relating to the e-mail problem domain)
> The (gaia) e-mail client for Firefox OS sanitizes all HTML because it
> can't use content policies to limit the capabilities of its iframe and
> iframe sandbox directives.
> context: HTML e-mails sometimes contain "web bugs" which are intended
> to notify the sender of the e-mail when you have read the email by
> causing your mail reader to trigger some type of network access that
> they can detect. This is frequently done with 1x1 images. Other
> possible tricks have included background sounds, and (I'm not sure
> whether anyone ever really used this) relying on DNS prefetches (to
> their DNS server).
More information about the tb-planning