Provide presets for both "script-free" and "fetch free"

[Jamesernator]

Currently the design of the sanitizer API seems to only be concerned with XSS, this means blocking all forms of scripting (e.g. onevent, <script>, etc).

However a weaker class of attacks still exist that may be used to exfiltrate data about users, and that is the ability to trigger any form of request to a third party (or sometimes even first party) resource.

For example, this image tag could be used to exfiltrate how many people view a particular piece of user generated content:

<img src="https://evil.bad/honeypot.png">

Many other examples exist however, such as <a ping="...">, <link rel="stylesheet">, etc etc

As such I'd like to suggest having a second preset that will strip all elements/attributes that could trigger a fetch.

[mozfreddyb]

Thanks for the suggestion, @Jamesernator! We'll look at offering presets for common use-cases once we get there. It's definitely in scope.

[benbucksch]

+1

The sanitizer in Mozilla has this as explicitly stated goal, that loading a network resource is a bug. Network resources allow tracking by third parties, which is usually unwanted. This is true not only for email clients, but in many contexts where you want to sanitize the HTML.

Video decoders particularly are also very vulnerable to memory safety bugs, due to their complexity and performance-oriented implementation.