On Friday, 14 June 2013 19:01:41 CEST, Thomas Lübking wrote:
(Proof: you're willing to whitelist domains. You didn't see the implications. You're certainly above mean. qed.)
I was actually aware of this threat and expected the users to be aware of the risks of allowing access to domains they do not "trust" (speaking about the domains in the URLs here). I also know that the problem is in accessing the URLs, not in the content which is returned from there. What do you propose? a) Being firm in what we do and disallow loading images unless explicitly requested for this mail. This means breaking the OP's workflow, even though you and me might disagree with the, well, suitability of such a workflow. People do insane things with mail, I recall someone complaining on their Bugzilla that Thunderbird stopped being able to submit HTML forms from incomimg mails... b) Providing a whitelist of domains for cluefull users with the risk of the rest shooting themselves in the foot way too often. c) Provide a global checkbox and make the risk of shooting into a foot a matter of "when", not a matter of "if". d) Something else. To me, and with the threat model that I can imagine, the target domain is the only information which can be trusted, at least until Trojita ships with support for verifying signed mail. Do you see a flaw in this reasoning? Cheers, Jan -- Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/
