search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
13.89k stars 1.43k forks source link

Turn Off DNS Prefetch #1509

Open vikingmedia opened 5 years ago

vikingmedia commented 5 years ago

Hi,

I just did a test of roundcube (mail-in-a-box 0.30) standard configuration on chromium/linux using https://www.emailprivacytester.com - it performed pretty well. Only two privacy related issues were detected:

Information on what that means is available at https://www.emailprivacytester.com. It seams this is a browser related issue, but dns prefetching can be disabled by adding some information in the HTML header. There has been a patch for roundcube (see https://github.com/roundcube/roundcubemail/issues/2639) in 2010. This may not be a big deal, but I thought I just sort of mention it, so maybe it can be mitigated in future releases.

Thanks, Erik

jvolkenant commented 5 years ago

This header is already being sent, it will be up to your browser to honor it. Testing with firefox, it doesn't look like it does. Not sure there is a real big security problem here, maybe I'm wrong? ''' curl -s -I https://box.example.com/mail/ | grep x-dns-prefetch-control x-dns-prefetch-control: off '''

vikingmedia commented 5 years ago

Hi @jvolkenant, I don't think it's a big issue, I thought I should mention in though. I can confirm, that the header is being sent.