Re: [websec] Test of XHR in HTML mail
Gervase Markham <gerv@mozilla.org> Tue, 13 December 2011 10:12 UTC
Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A7221F86A4 for <websec@ietfa.amsl.com>; Tue, 13 Dec 2011 02:12:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNEwsQFWJvSg for <websec@ietfa.amsl.com>; Tue, 13 Dec 2011 02:12:40 -0800 (PST)
Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id B095B21F86A0 for <websec@ietf.org>; Tue, 13 Dec 2011 02:12:40 -0800 (PST)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id B48274AED58; Tue, 13 Dec 2011 02:12:39 -0800 (PST)
Message-ID: <4EE72516.1080201@mozilla.org>
Date: Tue, 13 Dec 2011 10:12:38 +0000
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111103 Thunderbird/8.0
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <E1RaC4C-000OK3-N4@smtp.bbn.com> <7B56D5AA-5052-4898-A73A-AED1F958019C@bbn.com> <9D762009-DF92-4B54-8B21-9767AC099C34@bbn.com>
In-Reply-To: <9D762009-DF92-4B54-8B21-9767AC099C34@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: WEBSEC Mailing List <websec@ietf.org>
Subject: Re: [websec] Test of XHR in HTML mail
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2011 10:12:41 -0000
On 12/12/11 20:07, Richard L. Barnes wrote: > In fact, it doesn't look like they're even processing the onload > handler for the <body> element (except for Gmail). That black line > you see is a collapsed <div>, and it should be hidden on load. Maybe > MUAs just aren't supporting Javascript? --Richard It's not that they don't support it (Thunderbird is half-written in JavaScript!), it's that they turn it off. It's been disabled by default since at least Thunderbird 2. Doing so leads to a large reduction in attack surface. Gerv
- [websec] Test of XHR in HTML mail Richard Barnes
- Re: [websec] Test of XHR in HTML mail Richard L. Barnes
- Re: [websec] Test of XHR in HTML mail Richard L. Barnes
- Re: [websec] Test of XHR in HTML mail Gervase Markham