Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
On 2/28/06, Daniel Veditz <dveditz@xxxxxxxxxx> wrote:
> Once a user has pressed the "Show Images" button--not the best label
> since it covers all remote content--that state is stored in the mailbox
> metadata/index file (.msf) and the remote content will then be loaded on
> future viewings.
Hmmm. I didn't realise the "Show Images" setting got stored, and I
don't think that's the best strategy from a privacy point of view. I
take it you mean "stored for that one message", and not "stored for
all messages from that sender", or "stored for all messages" - but
still .... it would be better to not store it at all, IMHO. Users can
always add senders to their Address Book if they want to evade the
"block-images" feature.
How about displaying more option buttons when remote images have been blocked ?
e.g. :
Show remote images this time only
Always show remote images when this message is viewed
Always show remote images from this sender
Always show remote images
Nick Boyce
--
Never fdisk after midnight