Bug 332228 - When displaying HTML mails, KMail loads external references before asking the user for permission
Summary: When displaying HTML mails, KMail loads external references before asking the...
Status: RESOLVED WORKSFORME
Alias: None
Product: kdepim
Classification: Applications
Component: messageviewer (show other bugs)
Version: 5.7.0
Platform: openSUSE Linux
: NOR normal
Target Milestone: ---
Assignee: kdepim bugs
URL: https://emailprivacytester.com
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-16 20:12 UTC by Mike Schneider
Modified: 2022-12-10 05:13 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Schneider 2014-03-16 20:12:02 UTC 
With HTML rendering disabled, KMail asks for permission before rendering a HTML message. It also asks for permission for loading external references. This creates the impression that no external references are loaded before having received permission from the user.

However, as a check with https://emailprivacytester.com reveals, KMail loads at least some external references (, object tags, iframes, CSS) before asking for permission. This compromises the privacy of the user.

Expected behaviour: Kmail should not load any external references before given permission to do so by the user. 

Reproducible: Always
Comment 1 Mike Schneider 2015-02-06 18:22:33 UTC 
Problem is reproducable with kmail 4.14.4
Comment 2 Kåre Särs 2018-01-16 11:21:53 UTC 
Hi,

I just got a similar situation. The spam-mail has an attached html file with title and just a <meta http-equiv="refresh" content="0; URL='https://....'" />

This then loads the link in the external web browser. I tested what I had to do prevent the external browser from opening and the only way was to disable html totally and making attachments "as icons". If you want the sample I do have it in my trash folder, but it is NSFW :(

/Kåre
Comment 3 Justin Zobel 2022-11-10 22:32:55 UTC 
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Comment 4 Bug Janitor Service 2022-11-25 05:15:49 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 5 Bug Janitor Service 2022-12-10 05:13:07 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!