- From: Neil Jenkins <neilj@fastmail.fm>
- Date: Wed, 05 Feb 2014 12:51:44 +1100
- To: HTML for Email Community Group <public-htmail@w3.org>
On Wed, 5 Feb 2014, at 03:21 AM, Robin Berjon wrote: > welcome! I have to say that I really like the JMAP draft that FastMail > released not long ago. Thanks! We're keen to push this along this year too; it will make it much easier for new email clients to be written, and much faster (and more bandwidth-efficient) for existing clients to sync email. It's early stages, but we're hopeful we can get enough companies on board to make it happen. We'll see. > • Does <style scoped> help you in any way? Would you need > something else? It would help, but it only completes half the picture: we also need to make sure that styles defined in the rest of the page do not apply to the email message itself. This can be achieved by rewriting all the class names and ids in the email on the server, in both the HTML and CSS, to include a unique prefix (this is an approach we have used in the past); however, this is just as much of a pain to do (and can break some selectors), so doesn't really save us much on our current solution. > • Regarding stuff like removing position: fixed, what if there were > a way of indicating from a containing context that such properties > (or in general positions outside of the box) are forbidden? Would > that help? Yes, it would be very helpful to be able to prohibit any drawing outside of an element (overflow hidden doesn't quite do it). > • I'm curious why you're not using an iframe to display the email > content — is that for performance reasons? Or something else? We used to do this, but switched for two good reasons: 1. Performance. We show messages threaded into conversations. If you try to render 50 messages at the same time, each in an iframe, even modern computers running the latest browser would grind to a halt. No such problem with the current method. 2. Printing. A lot of users still actually print their email (weird, I know), and iframes are all sorts of broken when it comes to printing in most browsers. You would normally get nothing beyond the first page. Now, we could do what every other webmail does, and force the user to open a special "print view" in a new window, but we think having a print stylesheet that allows the user to just go File->Print is much more elegant. > • It's looking like, as a solution, it may not be here to stay, but > would something like <iframe seamless> help you? If not, would > something else of the same kind? Unless it solves the two problems above, no. > • What if browsers provided an API that allowed them to sanitise > content for you (with some parameters allowing you to control the > whitelist), would that help? Would you use it? Potentially this would be useful, yes. Of course, we'd still have to do the existing workarounds for older browsers for quite some time, but if it was simple enough to adopt then we would definitely use it: at the very least it adds an extra layer of security. > • Do you use CSP? If not, is there anything to fix with it that would > make it work for you? We have tried to enable CSP in the past, but found it not to be viable (if I remember correctly, the problem was to do with people's extensions in the browser being completely broken with CSP enabled). This was over a year ago though, and the implementations have improved a lot. We should enable report-only mode again and see what comes up. Neil.
Received on Wednesday, 5 February 2014 01:52:06 UTC