Tickets :: [#8836] Signal the browser to turn off DNS prefetching when displaying untrusted content

unknown

5/20/25

Summary	Signal the browser to turn off DNS prefetching when displaying untrusted content
Queue	IMP
Queue Version	Git master
Type	Enhancement
State	Resolved
Priority	1. Low
Owners	slusarz (at) horde (dot) org
Requester	chuck (at) horde (dot) org
Created	01/24/2010 (5595 days ago)
Due
Updated	07/01/2010 (5437 days ago)
Assigned	07/01/2010 (5437 days ago)
Resolved	07/01/2010 (5437 days ago)
Milestone
Patch	No

07/01/2010 08:03:56 PM	Michael Slusarz	Comment #14 State ⇒ Resolved	Reply to this comment
Fixed in IMP 4.3.8 and DIMP 1.1.5 (MIMP does not need this fix because MIMP 1.x does not generate links in message content).

07/01/2010 08:03:21 PM	Git Commit	Comment #13	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #8836~~: Fix attribute name http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php?rt=horde-git&r1=2effd3ce519011db72737c32c437f9c6364a23f0&r2=b942953b7b196c16a2f7777bbc55ac8e1661b655

07/01/2010 08:00:29 PM	CVS Commit	Comment #12	Reply to this comment
Changes have been made in CVS for this ticket: ~~Bug: 8836~~ Merge from git: disable DNS prefetching. http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde&r1=1.69.2.83&r2=1.69.2.84&ty=u http://cvs.horde.org/diff.php/dimp/index.php?rt=horde&r1=1.59.2.13&r2=1.59.2.14&ty=u http://cvs.horde.org/diff.php/dimp/lib/DIMP.php?rt=horde&r1=1.110.2.38&r2=1.110.2.39&ty=u http://cvs.horde.org/diff.php/dimp/message.php?rt=horde&r1=1.52.2.17&r2=1.52.2.18&ty=u http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.61&r2=2.560.4.62&ty=u http://cvs.horde.org/diff.php/imp/templates/common-header.inc?rt=horde&r1=2.78.2.11&r2=2.78.2.12&ty=u http://cvs.horde.org/diff.php/imp/thread.php?rt=horde&r1=2.10.2.29&r2=2.10.2.30&ty=u

07/01/2010 06:41:27 PM	Michael Slusarz	Comment #11 State ⇒ Assigned	Reply to this comment
Altered how we do this (see commit message below). Note that we disable DNS prefetching page-wide in the following cases: Message view (DIMP/IMP/MIMP) - this takes care of links that may be in the subject/list headers and any inline viewable parts Thread view (IMP) We do (will) NOT disable prefetching in the following cases: Viewing the contents of a part directly (i.e. view in a popup window). If the user proactively takes the step of wanting to view a particular message part, that is sufficient to indicate that they are vouching for the integrity of the message. Print view (see above) Compose view - I have no clue if links that appear in Ckeditor are prefetched or not, but the same reasoning applies - if you are replying/forwarding to a message, you are vouching for integrity of message.

07/01/2010 06:34:41 PM	Git Commit	Comment #10	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #8836~~: Rework DNS Prefetch disable META tags must be in HEAD tag to be correct HTML/XHTML. So we need to disable prefetching for the entire page - but only on pages where we are working with mail data. http://git.horde.org/diff.php/framework/Core/lib/Horde.php?rt=horde-git&r1=4f3bc19eac444e3d99b7e56b188bd9f99db3686d&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/framework/Mime/lib/Horde/Mime/Viewer/Enriched.php?rt=horde-git&r1=add5b9f9b63d81d29085a9615c30c4c9b4163e5d&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/framework/Mime/lib/Horde/Mime/Viewer/Html.php?rt=horde-git&r1=504e55792175710c0992a3ae3a5a4b62f43f8356&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php?rt=horde-git&r1=23c8ed79dd7c65bca75f984646522f01fbec467b&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/index-dimp.php?rt=horde-git&r1=76c1c091e8c027ce77dea8d76ceb2fef5d4cecb4&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/lib/Mime/Viewer/Html.php?rt=horde-git&r1=c976326cfd1ee61836b14cfdfc223cea86053683&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/lib/Mime/Viewer/Plain.php?rt=horde-git&r1=bf4719ffd4d666e00287a27dc1f42085a36ccb0e&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/lib/Ui/Message.php?rt=horde-git&r1=bf4719ffd4d666e00287a27dc1f42085a36ccb0e&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/message-dimp.php?rt=horde-git&r1=3da6a8d9e7f54b76cf39a34cf677521e419aa940&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/message-mimp.php?rt=horde-git&r1=bf4719ffd4d666e00287a27dc1f42085a36ccb0e&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/message.php?rt=horde-git&r1=bf4719ffd4d666e00287a27dc1f42085a36ccb0e&r2=2effd3ce519011db72737c32c437f9c6364a23f0 http://git.horde.org/diff.php/imp/thread.php?rt=horde-git&r1=bf4719ffd4d666e00287a27dc1f42085a36ccb0e&r2=2effd3ce519011db72737c32c437f9c6364a23f0

05/22/2010 02:54:51 PM	reg (at) debian (dot) org	Comment #9	Reply to this comment
Hello, Do you plan to fix Horde 3 / IMP 4 ? Regards, -- Gregory Colpart

01/30/2010 05:50:24 PM	Michael Slusarz	Comment #8 Assigned to Michael Slusarz State ⇒ Resolved	Reply to this comment
Marking as resolved.

01/30/2010 05:49:56 PM	CVS Commit	Comment #7	Reply to this comment
Changes have been made in Git for this ticket: ~~Ticket #8836~~: changelog http://git.horde.org/diff.php/horde/docs/CHANGES?rt=horde-git&r1=084e1f3eb2d91e32f3d74b70cf69a63202aee52f&r2=f7352a17a24e05b79e17b37d42d5ea5162f37658

01/26/2010 11:42:13 PM	CVS Commit	Comment #6	Reply to this comment
Changes have been made in Git for this ticket: ~~Ticket #8836~~: Add 'noprefetch' option to linkurls http://git.horde.org/diff.php/framework/Mime/lib/Horde/Mime/Viewer/Enriched.php?rt=horde-git&r1=1a310b2de34193b3f984e4506d87b32de412a65e&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/framework/Mime/lib/Horde/Mime/Viewer/Plain.php?rt=horde-git&r1=eecbfcce7d795c9e0651a163b66e5628ac571d8e&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Linkurls.php?rt=horde-git&r1=1a310b2de34193b3f984e4506d87b32de412a65e&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Text2html.php?rt=horde-git&r1=1a310b2de34193b3f984e4506d87b32de412a65e&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/imp/lib/Ajax/Application.php?rt=horde-git&r1=0b323e03586865781592a52370148f23636239b9&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/imp/lib/Mime/Viewer/Plain.php?rt=horde-git&r1=1a310b2de34193b3f984e4506d87b32de412a65e&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/imp/lib/Ui/Message.php?rt=horde-git&r1=518f99048e2a7a0d8fd8deb1ff4fb096474b02d8&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d http://git.horde.org/diff.php/imp/mailbox.php?rt=horde-git&r1=b23cc31ca5d964fd8f9be807871eb0595aee63d9&r2=add5b9f9b63d81d29085a9615c30c4c9b4163e5d

01/26/2010 10:40:49 PM	Michael Slusarz	Comment #5	Reply to this comment
Unfortunately, this also needs to be added to places where we convert text -> links (i.e. text/plain parts).

01/26/2010 10:39:46 PM	CVS Commit	Comment #4	Reply to this comment
Changes have been made in Git for this ticket: ~~Ticket #8836~~: Add 'noprefetch' option to XSS filter http://git.horde.org/diff.php/framework/Mime/lib/Horde/Mime/Viewer/Html.php?rt=horde-git&r1=206ebd97f0d6932358ca8ebdc7c8e06d4c5169b8&r2=504e55792175710c0992a3ae3a5a4b62f43f8356 http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php?rt=horde-git&r1=ce64aa00d9d1e9f5b7183af9bdde35adbe38f4b4&r2=504e55792175710c0992a3ae3a5a4b62f43f8356 http://git.horde.org/diff.php/framework/Text_Filter/package.xml?rt=horde-git&r1=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a&r2=504e55792175710c0992a3ae3a5a4b62f43f8356

01/24/2010 02:55:48 PM	Chuck Hagenbuch	Comment #3	Reply to this comment
It could apply anywhere we use the xss filter, I think.

01/24/2010 11:09:01 AM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
Reading the article it should be sufficient to add this meta tag in the message view of IMP, if not using HTTPS. Or do we have any other place where personally targeted data from the outside with links are being displayed?

01/24/2010 01:53:32 AM	Chuck Hagenbuch	Comment #1 Priority ⇒ 1. Low State ⇒ New Patch ⇒ No Milestone ⇒ Summary ⇒ Signal the browser to turn off DNS prefetching when displaying untrusted content Type ⇒ Enhancement Queue ⇒ IMP	Reply to this comment
https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail