Re: HTML interpreter vs. HTML user agent from Jonas Sicking on 2009-06-01 (public-html@w3.org from June 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 31 May 2009 21:07:22 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Larry Masinter <masinter@adobe.com>, HTML WG <public-html@w3.org>
Message-ID: <63df84f0905312107g20f9c96es7b34fb644202d05e@mail.gmail.com>

We have had scripting disabled in thunderbird since the dawn of time
(well, thunderbirds time). The main problem with scripts in email goes
something like this:

Adam sends an email to Bert. In this email he embeds a script.
Bert receives the email and forwards the email to Carla, adding some
comments to it regarding Adams original email.
Carla opens the email using a mail reader that has scripting enabled.

At this point the script can read the DOM of the email and use that to
read Berts comments to Carla. The script can then create an <img>
element and set the src attribute to
"http://adam.example.com/save?<data-in-comments>". This way Adam can
spy on any comments Bert made about his email. And this is possible
even if Bert uses a email reader with scripting disabled as it's
Carlas email reader that sends Berts comments to Adams server.

/ Jonas

On Sun, May 31, 2009 at 11:18 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Sun, 31 May 2009, Larry Masinter wrote:
>>
>> Not sure I understand -- does web mail have to turn off scripting?
>
> I wish e-mail wouldn't use HTML at all, but that's another story.
>
> I interpreted your question as asking if there was a description of the
> "restricted HTML" that Maciej describes, in the spec. Since the
> restriction is to disable script, that's what I pointed to.
>
>
>> Is the only HTML that is suitable for transmission by email to a web
>> mail user one that doesn't rely on scripting?
>
> I would presume that Web mail and regular e-mail clients would use the
> same kind of e-mail standards. It seems highly unwise to splinter the
> e-mail world based on the user agent used.
>
>
>> How can I email HTML which uses <canvas>, if scripting is turned off for
>> web mail users?
>
> It doesn't seem particularly wise to enable scripting in e-mail, but I
> suppose if one wanted to, there's no theoretical reason one couldn't do
> so, really. For Web mail clients in particular, the sandbox="" feature I
> mentioned in my earlier e-mail would be quite well suited to providing
> the control that a Web mail provider could want to have.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
>

Received on Monday, 1 June 2009 04:08:19 UTC