GNOME Bugzilla – Bug 741313
Disable DNS prefetching for EWebView
Last modified: 2015-02-12 12:37:35 UTC
I ran the email privacy test [1] using 2 different email addresses with evolution. It managed to make evolution do some reloading which results in an error message: ----- Unable to load page Problem occurred while loading the URL about:blank ----- After that the email privacy test told me that their test was positive. Details are available on [2]. From their description: ----- In the <body> of the HTML part, place a tag as follows: <link rel="dns-prefetch" href="http://TRACKING_URL/"> This test wont leak your IP address, but it will leak the IP address of your DNS resolvers, which can provide information on which ISP you're using and potentially your general location. ----- I think evolution mail view should never do anything actively when displaying Emails. DNS prefetching is definitely not useful for a display-only mail client (not a browser). [1] https://emailprivacytester.com/ [2] https://emailprivacytester.com/test/dns_link
Thanks for a bug report. I'm afraid I do not completely follow. I read the links you gave and it seems pretty simple. The site sent you an email, which has certain HTML body with some tricks how to track the receiver. One of the most simple is a remote image, downloaded from the "spammer's" site. If user lets it download, then evolution cannot do anything about it. Evolution is using WebkitGTK for the message rendering, with some pre-filtering of what will be downloaded and what not. It also downloads certain parts manually, without Webkit's intervention. I do not understand the dns_link test [2]. Does the text mean that evolution should add such text to a message body, or that "if the message body contains this, then the resolver's IP is leaked"? I guess the later. How does one fight such <link> tags? One can have a legitimate remote resource in the <link> tag, like a CSS file, which is the same as images for evolution, if you'll not let it download remote images, then neither the remote CSS files will be downloaded.
If I followed it right you want for us to disable the dns prefetching[0] for the Evolution? [0] - http://webkitgtk.org/reference/webkitgtk/stable/WebKitWebSettings.html#WebKitWebSettings--enable-dns-prefetching
@Milan Crha: The problem is not with images loaded from the spammers website. When the user chooses to load them we can't protect him. When displaying an email containing a link like this <link rel="dns-prefetch" href="http://TRACKING_URL/"> Evolution should (in my opinion) not do the prefetching since this would leak date and IP address of whoever reads the mail. This always happens when viewing the Email as HTML. Currently there is no way (at least no obvious way) to disable prefetching as a user. @Tomas Popela: Yes, disabling prefetching in WebKit should fix this problem. Prefetching is no critical feature for an email client so I don't think anyone would miss it.
I see, let's disable it.
Fixed with commit [0] in the master branch for Evolution 3.13.10+ and with commit [1] in the evolution-3-12 branch for Evolution 3.12.10+. [0] - https://git.gnome.org/browse/evolution/commit/?id=534aa21085fd8a1beba3b6b7c7938cd9fb418da6 [1] - https://git.gnome.org/browse/evolution/commit/?h=evolution-3-12&id=6e4db018b6f085e84f358987c0a1c58c703e57fe
*** Bug 742761 has been marked as a duplicate of this bug. ***