From: Jinwoo Lee <jinwoo68@gmail.com>
Date: Thu, 29 Jan 2015 18:14:27 +0000 (+1600)
Subject: Re: privacy problem: text/html parts pull in network resources
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9df0365ef43e9eca08466e8d3c93cc10ce5d195d;p=notmuch-archives.git

Re: privacy problem: text/html parts pull in network resources
---

diff --git a/db/6f08af960b659ef9e2ab6e65428470321fd1ca b/db/6f08af960b659ef9e2ab6e65428470321fd1ca
new file mode 100644
index 000000000..6b1969456
--- /dev/null
+++ b/db/6f08af960b659ef9e2ab6e65428470321fd1ca
@@ -0,0 +1,105 @@
+Return-Path: <jinwoo68@gmail.com>
+X-Original-To: notmuch@notmuchmail.org
+Delivered-To: notmuch@notmuchmail.org
+Received: from localhost (localhost [127.0.0.1])
+	by olra.theworths.org (Postfix) with ESMTP id 22992431FCB
+	for <notmuch@notmuchmail.org>; Thu, 29 Jan 2015 10:14:34 -0800 (PST)
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
+X-Spam-Flag: NO
+X-Spam-Score: 2.639
+X-Spam-Level: **
+X-Spam-Status: No, score=2.639 tagged_above=-999 required=5
+	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
+	DNS_FROM_AHBL_RHSBL=2.438, FREEMAIL_ENVFROM_END_DIGIT=1,
+	FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
+Received: from olra.theworths.org ([127.0.0.1])
+	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
+	with ESMTP id U-wwF6V+vKuL for <notmuch@notmuchmail.org>;
+	Thu, 29 Jan 2015 10:14:31 -0800 (PST)
+Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com
+	[209.85.220.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
+	(No client certificate requested)
+	by olra.theworths.org (Postfix) with ESMTPS id C9A17431FBC
+	for <notmuch@notmuchmail.org>; Thu, 29 Jan 2015 10:14:30 -0800 (PST)
+Received: by mail-pa0-f53.google.com with SMTP id kx10so41975403pab.12
+	for <notmuch@notmuchmail.org>; Thu, 29 Jan 2015 10:14:29 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
+	h=from:to:subject:in-reply-to:references:user-agent:date:message-id
+	:mime-version:content-type;
+	bh=Shk5IEFVaWoI92e39P87CwLNRTC3/laoke8/QTa6YsY=;
+	b=b1JPJ2JNu3xgP3WFEtzsnOklVxHCr0AUV0GbyAi6Zt/CRzHBG53NlACEHP2JowFCRV
+	7hoNyvWgzdrAmwINS+CO6WAgXa487gjkXLSfE7EI8oAONwfUdESj/y1XEKGlEgSsSagg
+	ouQ4CDGRBfjOeHQJMoUwCXod5DJMyJdmg9UwBtPX2z2Q1ccOHgqdAW0TMDM6ck6MQ4uZ
+	Ec2Ng2eCUrrjDEUQU+LjTC0naacaywsh+k1C9LM2NAhuPZingJ035qRu5TuMrJTW0+0d
+	Gi/k+ya7WyIUbjoQUIFupHD5RE+UUAdjxVr9ZNECrU0yWynUw+LwE+1PKnazoSjTzTNb
+	Gr3w==
+X-Received: by 10.66.157.5 with SMTP id wi5mr2571642pab.37.1422555269869;
+	Thu, 29 Jan 2015 10:14:29 -0800 (PST)
+Received: from localhost ([2601:9:5d00:15b9:9997:a9cd:4a6a:40f0])
+	by mx.google.com with ESMTPSA id fg6sm8450866pdb.24.2015.01.29.10.14.28
+	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+	Thu, 29 Jan 2015 10:14:29 -0800 (PST)
+From: Jinwoo Lee <jinwoo68@gmail.com>
+To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+	notmuch mailing list <notmuch@notmuchmail.org>
+Subject: Re: privacy problem: text/html parts pull in network resources
+In-Reply-To: <87wq45cvls.fsf@alice.fifthhorseman.net>
+References: <87ppa7q25w.fsf@alice.fifthhorseman.net>
+	<87fvay3g0g.fsf@maritornes.cs.unb.ca>
+	<871tmfin1k.fsf@alice.fifthhorseman.net>
+	<yq65h9vbtsyt.fsf@jinwoo-macbookair.roam.corp.google.com>
+	<yq65386uqx0a.fsf@jinwoo-macbookair.roam.corp.google.com>
+	<87wq45cvls.fsf@alice.fifthhorseman.net>
+User-Agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.4.1
+	(x86_64-apple-darwin13.2.0)
+Date: Thu, 29 Jan 2015 10:14:27 -0800
+Message-ID: <yq65wq45sbcs.fsf@jinwoo-macbookair.roam.corp.google.com>
+MIME-Version: 1.0
+Content-Type: text/plain
+X-BeenThere: notmuch@notmuchmail.org
+X-Mailman-Version: 2.1.13
+Precedence: list
+List-Id: "Use and development of the notmuch mail system."
+	<notmuch.notmuchmail.org>
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>
+List-Post: <mailto:notmuch@notmuchmail.org>
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
+X-List-Received-Date: Thu, 29 Jan 2015 18:14:34 -0000
+
+On Thu, Jan 29, 2015 at 10:03 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
+> On Wed 2015-01-28 18:57:25 -0500, Jinwoo Lee wrote:
+>> Do you mind if I add a boolean defcustom, which determines whether to
+>> block remote images?  Its default value will be T (block), but people
+>> who want to see remote images can customize it.
+>
+> I have no objection to this kind of knob in an already fiddly config
+> space.  In the other thread, i see the discussion of whether this should
+> expose something fancier than a boolean, but given the number of
+> possible rendering backends, i don't know how well we can support any of
+> these options reliably.
+>
+> What should notmuch do when the customization variable is set to t
+> (block remote images) but the html rendering backend doesn't support
+> blocking remote images?
+>
+> It seems dangerous/disingenuous to offer the option to the user but not
+> be able to enforce it in this case.  Should having this set to t
+> restrict the range of html renderers to only those that we can force to
+> respect it?
+
+I'm not very knowledgeable in the notmuch codebase, but I think I agree
+with your concern about this customization variable being dangerous or
+misleading users.
+
++1 to restricting renderers.
+
+>
+>         --dkg
+> _______________________________________________
+> notmuch mailing list
+> notmuch@notmuchmail.org
+> http://notmuchmail.org/mailman/listinfo/notmuch