search

okfde / froide

Freedom Of Information Portal
MIT License
367 stars 87 forks source link

Disable HTML emails (with a user preference) #338

Closed jfilter closed 4 years ago

jfilter commented 4 years ago

Disable HTML emails (with a user preference)

stefanw commented 4 years ago

This should be – and in many email clients is – a client-side preference. Where do you see the harm?

jfilter commented 4 years ago

It depends on your level of paranoia, but HTML emails are a security risk. And it's not that easy to disable them client-side. I didn't find a solution for macOS Mail so far. There was a way to disable HTML but it's not working anymore.

defaults write com.apple.mail PreferPlainText -bool true
Ryuno-Ki commented 4 years ago

As far as I know, the implementation client-side relies on another tool which converts HTML to plain text (with better or worse results).

What do you do if someone sends HTML-mails only? (Instead of telling their client to send both formats)

stefanw commented 4 years ago

@Ryuno-Ki I think this issue is about the emails that FragDenStaat has started sending to users. They were text-only but we just started sending text+html emails for some of them (and will expand that to include more).

Regarding emails from public authorities to FragDenStaat, you are right: we convert HTML-only emails to Markdown-like text, mostly just to recover URLs from links. It works well enough except for some HTML (e.g. tables).

@jfilter if you see HTML as a security risk than you should disable it in your client (pretty sure you get more than FDS mails as HTML). If your client does not support that, you should switch clients (e.g. Thunderbird supports it).

jfilter commented 4 years ago

pretty sure you get more than FDS mails as HTML

Yeah, but those emails are not for clicking links. FDS mails are mainly to do some action on FDS (to get there you need to click a link, ofc you don't have to click the link #worksforme).

stefanw commented 4 years ago

And clicking links actually works better in HTML – unfortunately. We have problems with @t-online.de customers where the web mail interface breaks long links which then become unusable. HTML mails fix this.

Opting out would not be too difficult to implement, but it would make our settings interface even more complicated. I will look at this again once we look at notification settings.