Package: urlview
Version: 0.9-21+b1
Severity: wishlist
Tags: upstream
X-Debbugs-Cc: debbug.urlv...@sideload.33mail.com
Tracker pixels are quite commonly used to snoop on email
recipients. URLview ignores URLs that specify an image to render.
We can perhaps configure the REGEXP variable to match <img…> tags, but
then urlview cannot be used simultaneously for what it was intended
(to visit URLs).
In principle there should ideally be two lists of URLs (thus two
regular expressions):
1) URLs that users might want to visit
2) IMG URLs. This list can be useful in two ways:
* Someone might want to view or fetch an image (though unlikely;
they can always render the message in a GUI browser for that)
* To view all possible urls that could be a tracker
pixel. Tracker pixels cannot easily be detected
programatically, so the URLs need to be presented in a way that
makes it easy for a human to detect it manually.
It might also be useful for a user to have the option of tagging an
URL they determine to be a tracker pixel which could then be added to
a database of known tracker pixel URLs. Senders tend to make tracker
pixels unique per recipient, not per message. So when another message
from the same sender is fed to urlview, it could recognize already
identified tracker pixels and highlight them in some way. And more
usefully, the DB could be queried by the MUA so tracked messages can
be highlighted to users in the MUA.
If this functionality is implemented, the developer should be mindful
of embedded images. It’s possible for IMG tags to contain an embedded
“URI image”, whereby a very long string in base64 encodes an
image. Syntax is described here:
https://www.thesitewizard.com/html-tutorial/embed-images-with-data-urls.shtml
Such images are certainly not tracker pixels and should be
ignored. Though such images would probably be ignored naturally since
they contain no URL anyway.
FYI, this same request will be submitted to the urlscan project.
-- System Information:
Debian Release: 11.5
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990,
'testing'), (990, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages urlview depends on:
ii libc6 2.31-13+deb11u5
ii libncurses6 6.2+20201114-2
ii libtinfo6 6.2+20201114-2
ii sensible-utils 0.0.14
Versions of packages urlview recommends:
ii elinks [www-browser] 0.13.2-1+b1
ii firefox-esr [www-browser] 102.6.0esr-1~deb11u1
ii lynx [www-browser] 2.9.0dev.6-3~deb11u1
ii ungoogled-chromium [www-browser] 90.0.4430.212-1.sid1
ii w3m [www-browser] 0.5.3+git20210102-6
Versions of packages urlview suggests:
pn mutt <none>
pn ncftp | lftp <none>
ii wget 1.21-1+deb11u1
-- no debconf information
