Regarding IMG tags in HTML email, here is a good point I received off-list. The sender did not wish to post directly, but approved forwarding this note. -Peter ----- Forwarded message (anonymous, forwarded with permission) ----- Date: Sat, 16 Jun 2001 22:55:41 +0200 To: Peter W <peterwat_private> From: <anonymous> Subject: Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) On 2001-06-15 at 09:26 -0400, Peter W gifted us with: > I wonder how it would work in HTML mail clients, though? You > could restrict to the sender's domain, but email is the easiest thing in > the world to spoof. (And an effective attack vector, especially against > things like messageboards that expose email addresses.) HTML email is just > evil evil evil. I can't see much need for HTML email to reference *any* > external documents, or to allow, as Jay Beale suggested, the use of things > like META refresh tags to effect client-pull CSRF attacks. Personally, I loath HTML email. However, surely a better approach for this is simply to restrict IMG links by insisting that the source be inline to the email. RFC 2112, multipart/related. Require that email IMG URLs start "cid:" in order to be automatically rendered. Whether or not to _allow_ the rendering of other IMGs is a more contentious issue. (Just one of those ideas which I've had floating around for a while, mainly to stop tracking of who's reading spam HTML email) ----- End forwarded message -----
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 23:27:57 PDT