From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david@tethera.net>
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id 6DE49431FB6
	for <notmuch@notmuchmail.org>; Sun, 25 Jan 2015 09:52:48 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Spam-Flag: NO
X-Spam-Score: 2.438
X-Spam-Level: **
X-Spam-Status: No, score=2.438 tagged_above=-999 required=5
	tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CNnVbwrLsO0Q for <notmuch@notmuchmail.org>;
	Sun, 25 Jan 2015 09:52:45 -0800 (PST)
Received: from mx.xen14.node3324.gplhost.com (gitolite.debian.net
	[87.98.215.224])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by olra.theworths.org (Postfix) with ESMTPS id C1C34431FAF
	for <notmuch@notmuchmail.org>; Sun, 25 Jan 2015 09:52:45 -0800 (PST)
Received: from remotemail by mx.xen14.node3324.gplhost.com with local (Exim
	4.80) (envelope-from <david@tethera.net>)
	id 1YFRLo-0003GT-Cd; Sun, 25 Jan 2015 17:51:56 +0000
Received: (nullmailer pid 2498 invoked by uid 1000); Sun, 25 Jan 2015
	17:51:43 -0000
From: David Bremner <david@tethera.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, notmuch mailing list
	<notmuch@notmuchmail.org>
Subject: Re: privacy problem: text/html parts pull in network resources
In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net>
References: <87ppa7q25w.fsf@alice.fifthhorseman.net>
User-Agent: Notmuch/0.19+48~gb74ed1c (http://notmuchmail.org) Emacs/24.4.1
	(x86_64-pc-linux-gnu)
Date: Sun, 25 Jan 2015 18:51:43 +0100
Message-ID: <87fvay3g0g.fsf@maritornes.cs.unb.ca>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jan 2015 17:52:48 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> If i send a message with a text/html part (either it's only text/html,
> or all parts are rendered, or it's multipart/alternative with only a
> text/html subpart) and that HTML has <img
> src="http://example.org/test.png"/> in it, then notmuch will make a
> network request for that image.
>
> This is a privacy disaster, because it enables an e-mail sender to use
> "web bugs" to tell when a given notmuch user has opened their e-mail.

I've just pushed Austin's shr related series to master, so this problem
should be fixed as of commit b74ed1c. One tradeoff that we should at
least remark in NEWS, if not actually fix, is that I think there is now
no way to view such images in notmuch.  I don't know offhand what other
html renderers will do.

d