[kmail2] [Bug 431218] mail viewer loads external fonts even with external refs disabled
Laurent Montel
bugzilla_noreply at kde.org
Wed Feb 3 12:21:34 GMT 2021
https://bugs.kde.org/show_bug.cgi?id=431218
--- Comment #4 from Laurent Montel <montel at kde.org> ---
(In reply to Timo Weingärtner from comment #3)
> I sent you a test case in private mail.
Yep thanks. I will look at it.
> When reading your patch and the surrounding code it looks like only some
> (images, now also fonts) request types are blacklisted. What about external
> style sheets or other types that might grow in HTML-land? Are there any
> external requests you think should be allowed?
see "BlockExternalResourcesUrlInterceptor" too
but indeed I need to block "style sheets" too.
>
> Regarding URL schemes: why is file:// allowed? I could think of some social
> engineering attacks that might work by including files from the victims
> computer. I would read "external request" as external to the e-mail in
> question.
Because we use file:// for resources too (as loading html template/ local image
etc.) => normal.
>
> To me the function could be as simple as:
>
> ----8<----8<----
> bool
> LoadExternalReferencesUrlInterceptor::
> interceptRequest(QWebEngineUrlRequestInfo &info)
> {
> if (mAllowLoadExternalReference) {
> return false;
> }
>
> const QString scheme = info.requestUrl().scheme();
> if (scheme == QLatin1String("data")
> || scheme == QLatin1String("cid")) {
> return false;
> }
>
> return true;
> }
nope :) as we want to be able to load image from loacl etc :)
> ----8<----8<----
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list