[kmail2] [Bug 431218] mail viewer loads external fonts even with external refs disabled

[Laurent Montel]

https://bugs.kde.org/show_bug.cgi?id=431218

--- Comment #4 from Laurent Montel <montel at kde.org> ---
(In reply to Timo Weingärtner from comment #3)
> I sent you a test case in private mail.

Yep thanks. I will look at it.


> When reading your patch and the surrounding code it looks like only some
> (images, now also fonts) request types are blacklisted. What about external
> style sheets or other types that might grow in HTML-land? Are there any
> external requests you think should be allowed?

see "BlockExternalResourcesUrlInterceptor" too

but indeed I need to block "style sheets" too.

> 
> Regarding URL schemes: why is file:// allowed? I could think of some social
> engineering attacks that might work by including files from the victims
> computer. I would read "external request" as external to the e-mail in
> question.

Because we use file:// for resources too (as loading html template/ local image
etc.) => normal.


> 
> To me the function could be as simple as:
> 
> ----8<----8<----
> bool
> LoadExternalReferencesUrlInterceptor::
> interceptRequest(QWebEngineUrlRequestInfo &info)
> {
>     if (mAllowLoadExternalReference) {
>         return false;
>     }
> 
>     const QString scheme = info.requestUrl().scheme();
>     if (scheme == QLatin1String("data")
>         || scheme == QLatin1String("cid")) {
>         return false;
>     }
> 
>     return true;
> }

nope :) as we want to be able to load image from loacl etc :)


> ----8<----8<----

-- 
You are receiving this mail because:
You are the assignee for the bug.