| Summary: | HTML mail styles spill into message header: security risk | ||
|---|---|---|---|
| Product: | [Applications] kdepim | Reporter: | Gunter Ohrner <kdebugs> |
| Component: | messageviewer | Assignee: | kdepim bugs <kdepim-bugs> |
| Status: | CONFIRMED --- | ||
| Severity: | major | CC: | bugs.kde.org, jjm, montel, nik, simon, sudhir, thomas |
| Priority: | HI | ||
| Version: | GIT (master) | ||
| Target Milestone: | --- | ||
| Platform: | Neon | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
Correct header in plain text view.
Header re-formatted by the displayed HTML mail. email message used for the screenshots |
||
|
Description
Gunter Ohrner
2016-10-25 10:41:17 UTC
where is the screenshot ?:) Created attachment 101814 [details]
Correct header in plain text view.
Created attachment 101815 [details]
Header re-formatted by the displayed HTML mail.
Whoops, sorry. Attached. Did I mention that the "missing attachment warner" is one of kMail's most valuable features? :-D Created attachment 101831 [details]
email message used for the screenshots
Sorry, I also forgot to attach the testcase message... :-(
Here it is.
Still an issue in 5.18.3 (apparently this version is not available in drop down menu). This is actually an issue in messageviewer. It happens because the HTML message's header (including style) is used for the full message view, to which the header and attachment footers are added. So any HTML message style not explicitly overridden in the header theme, but different from the default KMail style can wreak havoc on the header. This cannot reasonably be fixed is the header themes. What should happen is that the HTML message is displayed in a separate box (iframe or something less intrusive) and that its header is not used for the full message view. *** Bug 359425 has been marked as a duplicate of this bug. *** *** Bug 340621 has been marked as a duplicate of this bug. *** See also 441829, 429393, 317177 *** Bug 441829 has been marked as a duplicate of this bug. *** *** Bug 429393 has been marked as a duplicate of this bug. *** As is clear from some bug reports marked as a duplicate of this one, this issue is a security risk. Namely, the HTML's CSS may apply changes in an adversarial way, to, e.g., make phising scams more credible and more difficult to detect by the user. I've added that this is a security risk to the header and increased the importance. I've also indicated that it is still present in the current development branch. What has not yet been mentioned, I think, is that this issue can affect display of attachments. Any ideas for fixing this are welcome. The current rendering engine is far more advanced than it was five years ago, so we may have better options now. 1. I have looked at two webmail clients (Fastmail and Web Outlook) to see how they deal with this issue. They essentially seem to include a div with the HTML email that includes the style element for that email. While this is against the html spec (style may only be introduced in the head element), it seems to work decently. 2. After reading up on the current state of HTML, a possibly spec-compliant fix might be achieved using ‘Web Components’ <https://developer.mozilla.org/en-US/docs/Web/Web_Components>, using templates and/or slots. It seems designed mostly with dynamic pages in mind, bit may be usable even for kmail's relatively simple purpose. How exactly this could be done is not clear to me yet, TBH. |