MBOX-Line: From jkt at flaska.net Fri May 15 07:24:30 2015 To: imap-protocol@u.washington.edu From: =?iso-8859-1?Q?Jan_Kundr=E1t?= Date: Fri Jun 8 12:34:54 2018 Subject: [Imap-protocol] Registration of keyword which enables fetching external images Message-ID: <5f24e38f-5968-4367-97f6-fa4008f582fd@flaska.net> Hi, I would like to propose a new IMAP keyword "$LoadExternals". When this keyword is set on a given message, MUA can safely assume that it can go ahead and automatically fetch external entities linked from any part of the concerned message. Rationale -- when displaying HTML content, a reasonable MUA doesn't blidnly dereference URLs which point to a location that might be under the control of a third party (typical use case: external images or CSS). This is done for privacy reasons so that we don't leak information about the recipient by accident. However, once a request to a given external URL has been made, the privacy issue doesn't matter anymore (the information has leaked already). It is therefore typically safe to make this per-message setting permanent, and to do so in a manner which is interoperable across different MUAs. The proposed mode of operation is the following: - When $LoadExternals is not set, show an appropriate notification in a non-obtrusive manner, possibly listing the locations to fetch data from. Do *not* fetch remote content. - When $LoadExternals is set, do not block requests to remote content. Show an appropriate non-obtrusive notification about this state and allow the user to uncheck this whitelisting. - Server-side filtering scripts are allowed to set $LoadExternals based on implementation-defined heuristic or policy (such as using site-wide statistics about URLs and the likelihood of them being useful for tracking, or auto-whitelisting internal domains, etc). Are there any other MUAs besides Trojita interested in this? Is the $LoadExternals acceptable? I don't care about a particular name, but I think that avoiding needlessly long strings is reasonable. Suggestions are welcome. Once we have some consensus about the need for this, I'll be happy to write a formal draft. With kind regards, Jan -- Trojit?, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/