Read mail - "Display external images" does not work #16
Comments
|
Correct, currently the CSP is very strict to disallow everything from other domains. In application.ini you can modify So an img blacklist system in SnappyMail itself to prevent tracking would be better, however that might become a very long list due to mailinglist systems with their remote image tricks. Or replace the 'load external images' option to have a list of all remote images so you can decide which images to load an which not. Will keep this open for (a long) discussion. |
What happens when you enable the admin setting "Use local proxy for external images" in the Security setting? This feature was introduced in this commit for who want to investigate the inner workings of this setting: |
|
@ervee is correct! I totally forgot about the proxy. But that doesn't stop mail tracking (regarding read/unread stats). So for better tuning we can still have a list for downloading yes/no. |
|
@ervee |
By default we use image proxy for privacy. This does not solve mailing tracking for hidden "read" images
|
@phsc84 somehow you seem to be missing 'https:' in the img-src. I made changes so take the proxy into account. FAQ is cool. The wiki is open for everyone to add and edit |
Correct, it does not stop tracking. But if you ask me, showing the images and subjecting themselves to possible tracking is a user choice. |
|
With SnappyMail 2.0.0-rc2 this also works with "Use local proxy for external images" disabled. Some mails still don't get perfectly displayed. Will have a look at this later. |
|
With SnappyMail 2.0.0-rc2 I get the following error. |
|
The browser log shows the following messages: |
|
I already thought so. Somewhere someone still uses insecure HTTP. Shall edit to allow http in the default when not using proxy. |
|
With SnappyMail 2.0.0-rc3 this works perfectly fine! |
RainLoop version, browser, OS:
2.0.0-rc1, Chrome 85.0.4183.102 (64-bit), Windows 10
Expected behavior and actual behavior:
In HTML mails, images are not displayed by default (which is perfectly ok). But there is a status bar, where you can click on to display external images.
When you click on this bar, the images are still not displayed.
Steps to reproduce the problem:
see description above
Logs or screenshots:
Browser log
Refused to load the image 'https://hostmecdn.azureedge.net/photos/original/bc0403c3a0f2b32a309b46b26d8e86b8' because it violates the following Content Security Policy directive: "img-src 'self' data:".
/apps/mail/#/mailbox/INBOX:1 Refused to load the image 'https://res.cloudinary.com/hostme/image/upload/v1485349543/mails/email/fb.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".
/apps/mail/#/mailbox/INBOX:1 Refused to load the image 'https://res.cloudinary.com/hostme/image/upload/v1485349589/mails/email/inst.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".
/apps/mail/#/mailbox/INBOX:1 Refused to load the image 'https://u2487786.ct.sendgrid.net/wf/open?upn=WBXUONgQrRkyTH6eqZGcKm4KaVKReDHEXQv5BzVFwnqWs5A5YWADXTSLDUGRnY9aYlQ3d1NN0VXATnplddYng2S4P6YBwKRnxI0LErQA90mQCkijzysrC42fzjSYokcNr4b9vEAQIXOKWFaPAK3R7LcNq4LcyOHwP08pn5mf7G6NaDA586MjuG38-2FQi5j4PISDGYQa0KunD3tBmFzHdXm7d2gwFGdWaX2zk-2B-2F6qX-2Fs4-3D' because it violates the following Content Security Policy directive: "img-src 'self' data:".
The text was updated successfully, but these errors were encountered: