[#8836] Signal the browser to turn off DNS prefetching when displaying untrusted content
Summary Signal the browser to turn off DNS prefetching when displaying untrusted content
Queue IMP
Queue Version Git master
Type Enhancement
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 2010-01-24 (4285 days ago)
Updated 2010-07-01 (4127 days ago)
Assigned 2010-07-01 (4127 days ago)
Resolved 2010-07-01 (4127 days ago)
Patch No

2010-07-01 20:03:56 Michael Slusarz Comment #14
State ⇒ Resolved
Reply to this comment
Fixed in IMP 4.3.8 and DIMP 1.1.5 (MIMP does not need this fix because 
MIMP 1.x does not generate links in message content).
2010-07-01 18:41:27 Michael Slusarz Comment #11
State ⇒ Assigned
Reply to this comment
Altered how we do this (see commit message below).

Note that we disable DNS prefetching page-wide in the following cases:
Message view (DIMP/IMP/MIMP) - this takes care of links that may be in 
the subject/list headers and any inline viewable parts
Thread view (IMP)

We do (will) NOT disable prefetching in the following cases:
Viewing the contents of a part directly (i.e. view in a popup window). 
  If the user proactively takes the step of wanting to view a 
particular message part, that is sufficient to indicate that they are 
vouching for the integrity of the message.
Print view (see above)
Compose view - I have no clue if links that appear in Ckeditor are 
prefetched or not, but the same reasoning applies - if you are 
replying/forwarding to a message, you are vouching for integrity of 
2010-07-01 18:34:41 Git Commit Comment #10 Reply to this comment
Changes have been made in Git for this ticket:

Bug #8836: Rework DNS Prefetch disable
META tags must be in HEAD tag to be correct HTML/XHTML.
So we need to disable prefetching for the entire page - but only on
pages where we are working with mail data.

2010-05-22 14:54:51 reg (at) debian (dot) org Comment #9 Reply to this comment

Do you plan to fix Horde 3 / IMP 4 ?

Gregory Colpart
2010-01-30 17:50:24 Michael Slusarz Comment #8
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Marking as resolved.
2010-01-26 23:42:13 CVS Commit Comment #6 Reply to this comment
2010-01-26 22:40:49 Michael Slusarz Comment #5 Reply to this comment
Unfortunately, this also needs to be added to places where we convert 
text -> links (i.e. text/plain parts).
2010-01-24 14:55:48 Chuck Hagenbuch Comment #3 Reply to this comment
It could apply anywhere we use the xss filter, I think.
2010-01-24 11:09:01 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Reading the article it should be sufficient to add this meta tag in 
the message view of IMP, if not using HTTPS. Or do we have any other 
place where personally targeted data from the outside with links are 
being displayed?
2010-01-24 01:53:32 Chuck Hagenbuch Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ Signal the browser to turn off DNS prefetching when displaying untrusted content
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
Reply to this comment

Saved Queries