privacy problem: text/html parts pull in network resources
Austin Clements
aclements at csail.mit.edu
Wed Jan 21 14:39:09 PST 2015
Quoth Daniel Kahn Gillmor on Jan 21 at 4:36 pm:
> On Wed 2015-01-21 16:14:07 -0500, Austin Clements wrote:
> > I have a fix for this on shr buried deep in an old patch series that I
> > never got back to: id:1398105468-14317-12-git-send-email-amdragon at mit.edu
> >
> > For shr, the key is to set shr-blocked-images to ".".
>
> I've just done this, but it doesn't seem to help.
>
> > However, IIRC, in the current notmuch message rendering pipeline, mm
> > overrides this variable with something computed from
> > gnus-blocked-images. That said, I'm not sure why gnus-blocked-images
> > isn't *already* taking care of this, but that's probably the place to
> > start digging.
>
> gnus-blocked-images is set for me to the function
> gnus-block-private-groups, but i don't know what that is (the function
> is undocumented afaict). Setting gnus-blocked-images to a regexp of "."
> seems to work for me, though.
In notmuch, mm will wind up calling (gnus-block-private-groups nil).
Unfortunately, gnus apparently considers nil to be a news group rather
than a "private group" (gnus speak for email, I think), so
gnus-block-private-groups returns nil (meaning *don't* block images)
rather than ".".
Probably notmuch should override the gnus-blocked-images variable,
since the default value is simply wrong for notmuch. Maybe something
along the lines of the following should go around our text/html
handler?
(let ((gnus-blocked-images
(if (eq gnus-blocked-images 'gnus-block-private-groups)
;; mm uses gnus-blocked-images to control image loading.
;; However, the default value of gnus-blocked-images
;; doesn't work for notmuch because
;; gnus-block-private-groups depends on gnus variables we
;; don't set. Override it to disallow network image
;; loading.
"."
;; Use the user's customized value.
gnus-blocked-images)))
...)
Long live abstraction!
More information about the notmuch
mailing list