8

Recent versions of Emacs have a really good renderer for HTML written entirely in Elisp. This renderer (shr) can be used for displaying HTML emails, documentation, etc. However, it seems that shr retrieves remote resources referenced in HTML documents (e.g. images). If the HTML is untrusted, as in the case of spam emails, this leads to a number of security and privacy concerns.

Question: How is it possible to prevent shr from accessing remote resources when rendering HTML?

tmalsburg
  • 2,540
  • 1
  • 14
  • 29
  • I suspect that's rather something that can be adjusted in `url.el` only. – wasamasa Nov 14 '14 at 18:59
  • 2
    @wasamasa You mean I could temporarily let `url.el` refuse access to remote resources? That sounds like it could break things in shr. I think shr should be able to distinguish between local and remote resources and it should have a mode in which it doesn't even attempt to retrieve remote stuff. – tmalsburg Nov 14 '14 at 19:15

1 Answers1

6

shr.el has a (defvar shr-inhibit-images nil), and a

(defcustom shr-blocked-images nil
  "Images that have URLs matching this regexp will be blocked."
  :version "24.1"
  :group 'shr
  :type '(choice (const nil) regexp))

It seems like (setq shr-inhibit-images t) stops the web requests when I view HTML emails.

Note that it turns off image display for eww entirely. That is OK for me but might not work for you. You can of course add an eww-mode keybinding that would toggle this + reload a given page when turning images on.

mankoff
  • 4,108
  • 1
  • 22
  • 39
  • Thank you! I'm not sure whether this is completely watertight but it seems to handle most cases. – tmalsburg Nov 14 '14 at 21:45
  • 2
    My solution is to temporarily bind `shr-inhibit-images` to `t` when rendering HTML emails. This way eww should be unaffected. – tmalsburg Nov 14 '14 at 21:48
  • Can you provide the code for this? – mankoff Nov 15 '14 at 03:16
  • 1
    So this discussion is going on on the mu4e list at the same time. It was pointed out the above inhibits images, but shr may still access the web for cookies, javascript, etc. – mankoff Nov 15 '14 at 04:02
  • Mu4e has a function for rendering HTML emails. It's called `mu4e-shr2text`. My modified version with inhibition of images can be found here: https://github.com/tmalsburg/mu/blob/master/mu4e/mu4e-contrib.el#L44 I doubt that statement about cookies and javascript. Cookies are not retrieved using separate connections and eww/shr has no support for javascript to my knowledge. – tmalsburg Nov 15 '14 at 18:09