privacy problem: text/html parts pull in network resources

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 27 19:47:35 PST 2015


On Sun 2015-01-25 12:51:43 -0500, David Bremner wrote:
> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>
>> If i send a message with a text/html part (either it's only text/html,
>> or all parts are rendered, or it's multipart/alternative with only a
>> text/html subpart) and that HTML has <img
>> src="http://example.org/test.png"/> in it, then notmuch will make a
>> network request for that image.
>>
>> This is a privacy disaster, because it enables an e-mail sender to use
>> "web bugs" to tell when a given notmuch user has opened their e-mail.
>
> I've just pushed Austin's shr related series to master, so this problem
> should be fixed as of commit b74ed1c. One tradeoff that we should at
> least remark in NEWS, if not actually fix, is that I think there is now
> no way to view such images in notmuch.  I don't know offhand what other
> html renderers will do.

thanks for this, David and Austin!

Other html-rendering mail clients that are privacy-conscious will often
provide a button or mechanism to indicate that some remote resources
were requested by the page but weren't fetched (e.g. a button saying
something like [Load Remote Images...]).  I have no idea who actually
clicks on those buttons (or why), though, and even if we wanted them,
we'd only want to add a button on an image that actually had remote
network resources to load, and i don't know how we'd get that
information propagated back up the rendering stack to make such a
display decision.   So i'm fine with leaving it this way for now.

        --dkg


More information about the notmuch mailing list