Re: Introduction: Neil Jenkins, FastMail

On 05/02/2014 02:51 , Neil Jenkins wrote:
> On Wed, 5 Feb 2014, at 03:21 AM, Robin Berjon wrote:
>> welcome! I have to say that I really like the JMAP draft that FastMail
>> released not long ago.
>
> Thanks! We're keen to push this along this year too; it will make it
> much easier for new email clients to be written, and much faster (and
> more bandwidth-efficient) for existing clients to sync email.

I heartily agree. Having that plus an agreed-upon way of displaying HTML 
email would make the webmail world so much simpler (and therefore more 
innovative — email needs innovation, badly).

> It's early
> stages, but we're hopeful we can get enough companies on board to make
> it happen. We'll see.

The sort of protocol you describe there is perhaps more of an IETF 
thing, but if you want to use the W3C's Community Group infrastructure 
to help get things organised you're more than welcome to do so.

>> • Does <style scoped> help you in any way? Would you need
>> something else?
>
> It would help, but it only completes half the picture: we also need to
> make sure that styles defined in the rest of the page do not apply to
> the email message itself. This can be achieved by rewriting all the
> class names and ids in the email on the server, in both the HTML and
> CSS, to include a unique prefix (this is an approach we have used in the
> past); however, this is just as much of a pain to do (and can break some
> selectors), so doesn't really save us much on our current solution.

It's still cutting edge stuff, but I wonder: have you considered 
including the email content in a shadow tree with resetStyleInheritance set?

>> • What if browsers provided an API that allowed them to sanitise
>> content for you (with some parameters allowing you to control the
>> whitelist), would that help? Would you use it?
>
> Potentially this would be useful, yes. Of course, we'd still have to do
> the existing workarounds for older browsers for quite some time, but if
> it was simple enough to adopt then we would definitely use it: at the
> very least it adds an extra layer of security.

I'll add that to the list of things to look at.

>> • Do you use CSP? If not, is there anything to fix with it that would
>> make it work for you?
>
> We have tried to enable CSP in the past, but found it not to be viable
> (if I remember correctly, the problem was to do with people's extensions
> in the browser being completely broken with CSP enabled). This was over
> a year ago though, and the implementations have improved a lot. We
> should enable report-only mode again and see what comes up.

That looks like a bug. It would be useful to know how you fare with CSP. 
The use case you have is spot within its boundaries and if it doesn't 
work for you then we need to report this to the WebAppSec people.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon

Received on Wednesday, 5 February 2014 10:42:40 UTC