Summary: | HTML email "leaks" styles into headers | ||
---|---|---|---|
Product: | [Applications] kmail2 | Reporter: | Thomas Tanghus <thomas> |
Component: | general | Assignee: | kdepim bugs <kdepim-bugs> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | bugs.kde.org, jjm, montel |
Priority: | NOR | ||
Version: | 5.15.1 | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: |
Plain
HTML |
Description
Thomas Tanghus
2020-11-20 13:02:21 UTC
Created attachment 133497 [details]
Plain
Created attachment 133498 [details]
HTML
See also bug 317177 for fancy headers. This is obviously a general problem where any conflicting CSS included in a HTML message body could leak out into the header display. It may even be possible for a malicious message to hide or change header information, thus becoming a security risk. This cannot be worked around by filtering styles used by the header out of the message CSS, because KMail cannot know what style elements the header may use - it may have been written by the user or downloaded. Would it be possible to "sandbox" the message HTML isolated from the header - maybe within an iframe or similar element? could you send me it your email in private ? Thanks (In reply to Laurent Montel from comment #4) > could you send me it your email in private ? > Thanks I have tried to send it to you, but I'm not sure it actually got sent as KMail didn't give any notifications. Let me know if it hasn't arrived. I received it. Thanks (In reply to Jonathan Marten from comment #3) > See also bug 317177 for fancy headers. > > This is obviously a general problem where any conflicting CSS included in a > HTML message body could leak out into the header display. It may even be > possible for a malicious message to hide or change header information, thus > becoming a security risk. This cannot be worked around by filtering styles > used by the header out of the message CSS, because KMail cannot know what > style elements the header may use - it may have been written by the user or > downloaded. > > Would it be possible to "sandbox" the message HTML isolated from the header > - maybe within an iframe or similar element? Hi iframe can be a good idea but we can't know what is the exact message height so we can have two scrollbar it's not good at the moment. But isolate message must be a good idea. I need to continue to investigate it. *** This bug has been marked as a duplicate of bug 371656 *** |