{"id":451,"date":"2013-11-13T10:42:05","date_gmt":"2013-11-13T15:42:05","guid":{"rendered":"http:\/\/fazigu.org\/blog\/?p=451"},"modified":"2014-01-01T16:05:07","modified_gmt":"2014-01-01T21:05:07","slug":"thunderturd-or-how-i-learned-to-stop-griping-and-allow-remote-content","status":"publish","type":"post","link":"https:\/\/fazigu.org\/blog\/2013\/11\/13\/thunderturd-or-how-i-learned-to-stop-griping-and-allow-remote-content\/","title":{"rendered":"Thunderturd! or: How I Learned To Stop Griping and Allow Remote Content"},"content":{"rendered":"

I’m working from home, and our company’s outsourced webmail leaves much to be desired. \u00a0My desktop is Windows 7, since it offers the compatibility necessary in the corporate world, while most of my work is done through an xterm launched from my Linux box over CAT6.<\/p>\n

Rather than keeping up multiple webmail windows or collecting them all through one service (which usually leaves me with duplicate synchronizations across devices), I decided to choose an email client. \u00a0First, it was Windows Live Mail, and I liked it– for the most part. \u00a0Then, we were asked to standardize on a signature with images, and Live Mail didn’t seem to allow that. \u00a0It also didn’t have much flexibility in quoting replied messages.<\/p>\n

I tried Outlook 2007 for a while, but it began hanging on IMAP more frequently than my blood pressure would comfortably allow. \u00a0I’d given Mozilla’s Thunderbird a whirl, but something about it really pissed me off at the time. \u00a0I tried it again.<\/p>\n

Decent. \u00a0Open Source, so there are updates, and I could hack the goddamned code if I wanted to fix something real hard<\/em>. \u00a0The most annoying quirk was the “Allow remote content?” pop-in panel. \u00a0It seemed to have an all-or-one idea of what should be allowed, where one could show all remote content, or approve single email addresses. \u00a0This was a nuisance with, for example, notifications from Google+, which are “From” a generated email address. \u00a0Thus, adding that address to your contents did nothing but bloat your contact list.<\/p>\n

A bit more digging found that Thunderbird had the same “about:config” back-door to its internal configuration properties as its brother-father-cousin Firefox and Mozilla and Netscape, and within there was a mail.trusteddomains setting. \u00a0One opens this menu through the “Tools” option in the menu-bar, under “Options…”, and then:<\/p>\n

\"thunderturdOptionsWindow\"<\/a><\/p>\n

According to the arcane documentation available, opening this dialog and setting this property to a comma-delimited list of domain names would instruct Thunderbird to automatically load content<\/em> (n.b.) from those domains. \u00a0Each entry should be a single base domain name– not a subdomain<\/em>. \u00a0That is, “google.com” rather than “plus.google.com”.<\/p>\n

Adding “google.com” didn’t work. \u00a0I searched some more, then this morning came across a question on a Thunderbird support site<\/a>\u00a0— posted almost a year ago and without a resolution. \u00a0So, I went to semi-angrily post my response, then realized– “Hey, me. \u00a0It surely isn’t just white-listing domains based on an email address. \u00a0If it were, anyone using a gmail account could just plop in an externally-hosted image in an HTML message and have it trusted.” \u00a0So, I viewed the source of this particular Google+ notification.<\/p>\n

Two images: one from googleusercontent.com<\/span> and another from gstatic.com<\/span>.<\/p>\n

Short answer?<\/p>\n

Set mail.trusteddomains<\/span><\/strong> to\u00a0google.com,googleusercontent.com,gstatic.com\u00a0<\/span><\/strong>…<\/span><\/span><\/p>\n

\"thunderturdAboutConfigWindow\"<\/a><\/p>\n

And now, they will load. \u00a0This won’t help much if images are loaded from a CDN<\/a>, and it’s a bit of a nuisance to “View Source” on a message, search and record each “img” tag’s domain, then add them all to the property, but– it works.<\/p>\n

One final commentary which would be a sidebar if I knew how to do it in WordPress: Why not just allow all remote content? \u00a0At first, even though I’m a hacker and a cracker and I think I always will, I almost just said “fuck it, it’s just cookies!” \u00a0A second later, I realized that any image being loaded involves a hit to where that image is hosted, and while that URL might indicate it’s just plucking a .jpg, it could be doing anything. \u00a0It probably isn’t running a script on your mail client (I doubt Thunderbird would allow that), but it could certainly be recording that the message was read, and where it was read from, and all manner of other invasive maneuvers. \u00a0At its most innocuous, it could serve as a reasonably accurate “Read Receipt” for mail sent to anyone who trusts you– although they probably won’t trust you as much if\/when they realize you’re doing that.<\/p>\n

Enjoy.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

I’m working from home, and our company’s outsourced webmail leaves much to be desired. \u00a0My desktop is Windows 7, since it offers the compatibility necessary in the corporate world, while most of my work is done through an xterm launched from my Linux box over CAT6. Rather than keeping up multiple webmail windows or collecting […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[60],"class_list":["post-451","post","type-post","status-publish","format-standard","hentry","category-hacking","tag-tips-and-tricks"],"_links":{"self":[{"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/posts\/451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/comments?post=451"}],"version-history":[{"count":4,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/posts\/451\/revisions"}],"predecessor-version":[{"id":457,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/posts\/451\/revisions\/457"}],"wp:attachment":[{"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/media?parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/categories?post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fazigu.org\/blog\/wp-json\/wp\/v2\/tags?post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}