<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body smarttemplateinserted="true">
<div id="smartTemplate4-template">
<style>.snipped {
border: 1px solid rgba(90,90,90,0.2); padding: 3px;
background: linear-gradient(to bottom, #fdeff4 0%,#fdb9bd 51%,#fea2a3 59%,#ff999e 100%);
}
#agGmail {
margin-left: 6px;
}
#agGmail, #agGmail p {
font-family: Cambria, Georgia, serif !important;
font-size:11pt;
text-align: left;
}
#agGmail p {
max-width: 950px;
}
</style>
<div id="agGmail">
<p>that's crazy. Did the attached mail actually leak CSS into
the main Email??</p>
<p>wow, I never thought of that. I guess that's one downside of
showing attachments inline. Should they be style-stripped?</p>
<p>Axel<br>
</p>
<p>
<style type="text/css">wow..myNameAG {
text-shadow: 1px 1px 2px #DDD;
transition:font-size 0.5s;
}
.myNameAG:hover, .myNameAG a:hover
{ font-size:13pt; text-shadow: 3px 3px 4px rgba(200,250,200,0.7);}
.moz-signature {opacity: 1.0 !important;}
.myNameAG a { cursor: pointer !important; transition:font-size 0.5s;}
.myLogoAG {
transition: all .4s ease-out;
}
.myLogoAG:hover {
transform: scale(3) translate(-30px,-5px);
}
#SignatureAG, :not(blockquote) #SignatureAG {
background: rgb(230,240,163);
background-image: linear-gradient(to bottom, rgba(230,240,163,1) 0%,rgba(210,230,56,1) 50%,rgba(195,216,37,1) 51%,rgba(219,240,67,1) 100%);
color: #444;
box-shadow: 4px 4px 9px -2px rgba(0,0,0,0.65);
border-radius: 0.7em; padding: 0.8em 1.2em;
border: 1px dashed #8080A0;
font-size: 11pt !important;
font-family: 'Lucida Sans Unicode', 'Lucida Grande', sans-serif;
width: 65%;
}
.AddonList a {
color: #666666;
font-size: 10pt !important;
}
</style></p>
<div id="SignatureAG"> <b class="myNameAG"><a
href="mailto:axel.grude@gmail.com">Axel Grude</a></b> <br>
Music Production and Composition <br>
Thunderbird Add-ons Developer <span class="AddonList">(<a
href="https://addons.thunderbird.net/thunderbird/addon/quickfolders-tabbed-folders/">QuickFolders</a>,
<a
href="https://addons.thunderbird.net/thunderbird/addon/quickfilters/">quickFilters</a>,
<a
href="https://addons.mozilla.org/firefox/addon/quickpasswords/">QuickPasswords</a>,
<a
href="https://addons.thunderbird.net/thunderbird/addon/zombie-keys/">Zombie
Keys</a>, <a
href="https://addons.thunderbird.net/thunderbird/addon/smarttemplate4/">SmartTemplate⁴</a>)</span>
<br>
Visit my <a href="https://www.youtube.com/c/thunderbirddaily">YouTube
Channel</a> for email productivity tips <img
style="margin-top: 1em; float: right; box-shadow: 1px 1px
2px rgba(20, 20, 20, 0.4);" moz-do-not-send="false"
class="myLogoAG" src="cid:part8.941C11EB.4EE81796@gmail.com"
alt="Get Thunderbird!" width="94" height="15">
</div>
</div>
</div>
<div id="smartTemplate4-quoteHeader">
<style type="text/css" scoped="">
#newHeaderAG1 b { font-weight:bold; color: #990033; min-width: 4.5em; max-width:none; display:inline-block;}
</style>
<blockquote type="cite" style="margin-bottom: -20px !important;
padding-bottom:20px !important;">
<div id="newHeaderAG1" style="font-size: x-small; padding:1em;
background-color:rgba(220,220,240,0.4); border-radius:3px;"> <b>Subject:</b>Re:
Product decision regarding HTML/CSS email and digital
signatures<br>
<b>From:</b>Dirk Steinmetz (Rsjtdrjgfuzkfg)
<a class="moz-txt-link-rfc2396E" href="mailto:thunderbird-lists@rsjtdrjgfuzkfg.com"><thunderbird-lists@rsjtdrjgfuzkfg.com></a><br>
<b>To:</b><a class="moz-txt-link-abbreviated" href="mailto:Tb-Planning@mozilla.org">Tb-Planning@mozilla.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:tb-planning@mozilla.org"><tb-planning@mozilla.org></a> <br>
<b>Sent: </b>Thursday, 3/12/2020 21:02<br>
</div>
</blockquote>
</div>
<blockquote type="cite"
cite="mid:425716b4-c7c5-b86b-0674-d08a4552deb9@rsjtdrjgfuzkfg.com">Hi
Kai & everybody else,
<br>
<br>
I think this is likely a symptom of the bigger problem of
CSS-preservation in replies.
<br>
<br>
I'm personally in the "text-only" camp, so take my feedback with a
grain of salt. But coming from purely a end user expectation
perspective, I see many problems when preserving CSS without
scoping it to the reply part – independently of security concerns.
<br>
<br>
For example, try replying to the attached email with default
Thunderbird settings: you end up with black text on black ground
and Thunderbird's background color picker in a broken state. That
is not a security issue, but definitively not a nice user
experience.
<br>
<br>
I think we should either alter CSS to be scoped to the div the
quote lives in (probably hard, but there seem to be some
JavaScript libraries that claim to do that), quote in a separate
HTML document (iframe and/or attachment) or strip all styles when
quoting. The latter would also make quoting excerpts more stable.
<br>
<br>
No idea about standard compliance and support from web mailers and
other email clients, though – I assume stripping would lead to the
most consistent results across clients, while at least some
clients will probably choke on frames – but I have not tested
anything.
<br>
<br>
So I think it would be a good idea to fix the underlying issue
first (how CSS is handled in replies) – that would imho improve
both security and usability. :)
<br>
<br>
That being said, it might be reasonable to also sanitize CSS to
fix situations in which users receive a 'forged' mail and/or add a
warning/prompt when signing mails with media queries. I personally
prefer erring on the side of security for all default values and
agree with Rob that we have precedent here.
<br>
<br>
Kind regards,
<br>
Dirk / rsjtdrjgfuzkfg
<br>
<br>
<br>
Am 03.12.20 um 21:33 schrieb Rob Lemley:
<br>
<blockquote type="cite">IMHO, the precedent would be the "Allow
remote content in messages" preference, which defaults to "off"
(do not allow remote content). That's already changing how
messages are displayed, prioritizing security over pretty.
<br>
<br>
On 12/3/20 8:42 AM, Kai Engert wrote:
<br>
<blockquote type="cite">On 03.12.20 14:37, Kai Engert wrote:
<br>
<blockquote type="cite">The reports caused Magnus to suggest
that we display the security
<br>
protections, see the patch he attached.
<br>
</blockquote>
<br>
typo:
<br>
<br>
"disable" the security protections
<br>
_______________________________________________
<br>
tb-planning mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org">tb-planning@mozilla.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning">https://mail.mozilla.org/listinfo/tb-planning</a>
<br>
</blockquote>
<br>
<br>
_______________________________________________
<br>
tb-planning mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org">tb-planning@mozilla.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning">https://mail.mozilla.org/listinfo/tb-planning</a>
<br>
<br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
tb-planning mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org">tb-planning@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning">https://mail.mozilla.org/listinfo/tb-planning</a>
</pre>
</blockquote>
</body>
</html>