[#8836] Signal the browser to turn off DNS prefetching when displaying untrusted content
Summary Signal the browser to turn off DNS prefetching when displaying untrusted content
Queue IMP
Queue Version Git master
Type Enhancement
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 01/24/2010 (1547 days ago)
Updated 07/01/2010 (1389 days ago)
Assigned 07/01/2010 (1389 days ago)
Resolved 07/01/2010 (1389 days ago)
Patch No

07/01/2010 08:03:56 PM Michael Slusarz Comment #14
State ⇒ Resolved
Reply to this comment
Fixed in IMP 4.3.8 and DIMP 1.1.5 (MIMP does not need this fix because 
MIMP 1.x does not generate links in message content).
07/01/2010 06:41:27 PM Michael Slusarz Comment #11
State ⇒ Assigned
Reply to this comment
Altered how we do this (see commit message below).

Note that we disable DNS prefetching page-wide in the following cases:
Message view (DIMP/IMP/MIMP) - this takes care of links that may be in 
the subject/list headers and any inline viewable parts
Thread view (IMP)

We do (will) NOT disable prefetching in the following cases:
Viewing the contents of a part directly (i.e. view in a popup window). 
  If the user proactively takes the step of wanting to view a 
particular message part, that is sufficient to indicate that they are 
vouching for the integrity of the message.
Print view (see above)
Compose view - I have no clue if links that appear in Ckeditor are 
prefetched or not, but the same reasoning applies - if you are 
replying/forwarding to a message, you are vouching for integrity of 
07/01/2010 06:34:41 PM Git Commit Comment #10 Reply to this comment
Changes have been made in Git for this ticket:

Bug #8836: Rework DNS Prefetch disable
META tags must be in HEAD tag to be correct HTML/XHTML.
So we need to disable prefetching for the entire page - but only on
pages where we are working with mail data.

05/22/2010 02:54:51 PM reg (at) debian (dot) org Comment #9 Reply to this comment

Do you plan to fix Horde 3 / IMP 4 ?

Gregory Colpart
01/30/2010 05:50:24 PM Michael Slusarz Comment #8
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Marking as resolved.
01/26/2010 11:42:13 PM CVS Commit Comment #6 Reply to this comment
01/26/2010 10:40:49 PM Michael Slusarz Comment #5 Reply to this comment
Unfortunately, this also needs to be added to places where we convert 
text -> links (i.e. text/plain parts).
01/24/2010 02:55:48 PM Chuck Hagenbuch Comment #3 Reply to this comment
It could apply anywhere we use the xss filter, I think.
01/24/2010 11:09:01 AM Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Reading the article it should be sufficient to add this meta tag in 
the message view of IMP, if not using HTTPS. Or do we have any other 
place where personally targeted data from the outside with links are 
being displayed?
01/24/2010 01:53:32 AM Chuck Hagenbuch Comment #1
State ⇒ New
Patch ⇒ No
Milestone ⇒
Queue ⇒ IMP
Summary ⇒ Signal the browser to turn off DNS prefetching when displaying untrusted content
Type ⇒ Enhancement
Priority ⇒ 1. Low
Reply to this comment