From kde-pim Thu Nov 21 22:16:18 2013 From: Ingo =?ISO-8859-1?Q?Kl=F6cker?= Date: Thu, 21 Nov 2013 22:16:18 +0000 To: kde-pim Subject: Re: [Kde-pim] emailprivacytester.com, video/audio tag Message-Id: <4334782.Y7NslRUvLY () thufir ! ingo-kloecker ! de> X-MARC-Message: https://marc.info/?l=kde-pim&m=138507221220185 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============4554771955984062716==" --===============4554771955984062716== Content-type: multipart/signed; boundary=nextPart2985081.0mrbjSiDbi; micalg=pgp-sha1; protocol="application/pgp-signature" --nextPart2985081.0mrbjSiDbi Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-15" On Wednesday 20 November 2013 16:03:38 Jan Kundr=E1t wrote: > On Wednesday, 20 November 2013 14:03:15 CEST, Sebastian K=FCgler wrot= e: > > the test only loads an external reference from the web, nothing > > else. It doesn't actually test for tracking id or anything like > > that attached to the url >=20 > Hi Sebas, please note that it is impossible to write an algorithm for= > classifying URLs into two sets, one of them with "no tracking" and th= e > other with "with tracking ID" which works for all input and is > reliable. Hence blocking all remote requests sounds reasonable. >=20 > > Given that the user has explicitely allowed loading content from th= e > > web, this seems OK to me. > > I'm not sure how KMail works, but I read the original mail as "enable= d > loading HTML", not "enabled HTML and loading remote content". I read it the same way. > Perhaps > the original mail wasn't accurate and the KMail settings are in fact > "disable any HTML" vs. "enable any HTML, including remote contents". They are not. "Load external references" is a separate setting. > If that is the case, then the audio/video preview is indeed a > "feature", not a "bug". If, however, KMail has a feature for only > e.g. showing remote images upon explicit confirmation, then it makes > sense to treat the audio and video tags as something similar, in my > opinion. Indeed. FWIW, KMail trusts the khtml part (or does KMail nowadays use=20= another HTML renderer?) to do the right thing if loading of external=20= references is disabled. I'd be very unhappy if khtml misbehaved. I repeated the test. I cannot reproduce a problem with audio/video tags= ,=20 but, when I enabled HTML for the test message, then the following tests= =20 turned red: * Object tag - Flash (https://emailprivacytester.com/test/flash) * iframe tag (https://emailprivacytester.com/test/iframe) * CSS import (https://emailprivacytester.com/test/css_import) * CSS link tag (https://emailprivacytester.com/test/css) Bad KMail! Time to write a few bug reports for the HTML renderer. When I also enabled loading of external references, then a lot more=20 tests (all tests up to and including 'CSS link tag') turned red (which=20= is okay since I explicitly requested this). But KMail also executed the= =20 meta refresh and showed a different web page. Ouch! Regards, Ingo --nextPart2985081.0mrbjSiDbi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEABECAAYFAlKOhjcACgkQGnR+RTDgudg61gCgmCDkHEGagViZPmiHgIOoy7i9 S2oAnjtVdpeC70UrQEXZKGtEqpJJRGxS =+vJD -----END PGP SIGNATURE----- --nextPart2985081.0mrbjSiDbi-- --===============4554771955984062716== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ KDE PIM mailing list kde-pim@kde.org https://mail.kde.org/mailman/listinfo/kde-pim KDE PIM home page at http://pim.kde.org/ --===============4554771955984062716==--