Bug 391865

Created attachment 111403 [details]
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar situation.

I'm filing a new bug as instructed in https://bugs.kde.org/show_bug.cgi?id=229989#c2 and https://bugs.kde.org/show_bug.cgi?id=229989#c3 since this still occurs in recent versions of Akregator.

When opening an article, Akregator automatically downloads all requisites found in the <description> (e.g. if images etc are specified in HTML; perhaps even flash or AJAX?). Generally this generates extra HTTP(S) requests to remote server(s), leaking information about the users activities, i.e. which articles they browse, and possibly info about how long they read an article before switching to another article, etc.

The man in the middle, even when the user is using HTTPS, has quite good chances to figure out the exact articles being read (given he can determine the endpoint of the HTTPS connection), which are probabilistically among those new articles which the user has not previously read.

Hopefully it will be configurable per-feed, whether such requisites are downloaded or not, and with an action somewhere to force download of requisites of the article currently open.

Please fix these privacy leaks!

Mozilla Thunderbird, for example, handles such e-mails with remote content much better, by prompting the user about whether to download remote content or not (see attached screenshot). This is also what Akregator could do on a per-feed basis. An "always show remote content" checkbox could also be added to the feed properties dialog.