Package: urlview Version: 0.9-21+b1 Severity: wishlist Tags: upstream X-Debbugs-Cc: debbug.urlv...@sideload.33mail.com
Tracker pixels are quite commonly used to snoop on email recipients. URLview ignores URLs that specify an image to render. We can perhaps configure the REGEXP variable to match <img…> tags, but then urlview cannot be used simultaneously for what it was intended (to visit URLs). In principle there should ideally be two lists of URLs (thus two regular expressions): 1) URLs that users might want to visit 2) IMG URLs. This list can be useful in two ways: * Someone might want to view or fetch an image (though unlikely; they can always render the message in a GUI browser for that) * To view all possible urls that could be a tracker pixel. Tracker pixels cannot easily be detected programatically, so the URLs need to be presented in a way that makes it easy for a human to detect it manually. It might also be useful for a user to have the option of tagging an URL they determine to be a tracker pixel which could then be added to a database of known tracker pixel URLs. Senders tend to make tracker pixels unique per recipient, not per message. So when another message from the same sender is fed to urlview, it could recognize already identified tracker pixels and highlight them in some way. And more usefully, the DB could be queried by the MUA so tracked messages can be highlighted to users in the MUA. If this functionality is implemented, the developer should be mindful of embedded images. It’s possible for IMG tags to contain an embedded “URI image”, whereby a very long string in base64 encodes an image. Syntax is described here: https://www.thesitewizard.com/html-tutorial/embed-images-with-data-urls.shtml Such images are certainly not tracker pixels and should be ignored. Though such images would probably be ignored naturally since they contain no URL anyway. FYI, this same request will be submitted to the urlscan project. -- System Information: Debian Release: 11.5 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'testing'), (990, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages urlview depends on: ii libc6 2.31-13+deb11u5 ii libncurses6 6.2+20201114-2 ii libtinfo6 6.2+20201114-2 ii sensible-utils 0.0.14 Versions of packages urlview recommends: ii elinks [www-browser] 0.13.2-1+b1 ii firefox-esr [www-browser] 102.6.0esr-1~deb11u1 ii lynx [www-browser] 2.9.0dev.6-3~deb11u1 ii ungoogled-chromium [www-browser] 90.0.4430.212-1.sid1 ii w3m [www-browser] 0.5.3+git20210102-6 Versions of packages urlview suggests: pn mutt <none> pn ncftp | lftp <none> ii wget 1.21-1+deb11u1 -- no debconf information