https://bugs.kde.org/show_bug.cgi?id=394554
Bug ID: 394554 Summary: Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking Product: kmail2 Version: 5.8.0 Platform: Neon Packages OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: UI Assignee: kdepim-b...@kde.org Reporter: kdeb...@customcdrom.de Target Milestone: --- kMail 5.8.1 seems to load external references in HTML emails without asking, possibly disclosing to a third party (company / spammer / scammer) that the mail has been displayed. I configured kMail to prefer plain text messages and not to load any external references. (The current Efail debate shows the validity of those measures.) After clicking "activate formatted HTML display", older kMail versions (until recently) would roughly format the message but display a second question "load external references" which had to be confirmed explicitly. If I click "activate formatted HTML display" in kMail 5.8.1, all external images for example seem to be loaded immediately, possibly disclosing information about validity / reachability of my email address to adverse third parties. Expected behaviour: If "load external references" is unchecked in the options, no external references (CSS styles, images, anything else) is loaded until I explicitly confirm that I actually want to do so. It's important that "render HTML" and "load external references" is split into two separate steps, as lots of HTML mails do not have any proper plain text content embedded, so I sometimes have to resort to the renderen HTML contents to even decide if the mail is legit (or I want to trust it fully) or not. This gets close to impossible if activating HTML rendering will automatically load all stuff it references from the internet, including activating counter pixels or submitting tracking ID information by specifically crafted HTTP GET requests. Additionally, externally referenced file types may be loaded which I really do not want to be downloaded like PDF or even some script or executable files. -- You are receiving this mail because: You are watching all bug changes.