Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
6.3.2
-
None
-
6bd06fdb35 (qt/qtwebengine/dev) 03bb8b2427 (qt/qtwebengine/6.4) a8c5c92755 (qt/qtwebengine/6.3) a8c5c92755 (qt/tqtc-qtwebengine/6.3) 03bb8b2427 (qt/tqtc-qtwebengine/6.4) 03bb8b2427 (qt/tqtc-qtwebengine/6.4.1)
Description
In https://codereview.qt-project.org/c/qt/qtwebengine/+/372867, the LocalContentCanAccessRemoteUrls setting was changed to block any remote requests, to be used e.g. for email clients to avoid leaking tracking information to the sender.
From IRC:
2022-05-31 12:57:02 carewolf don't know what you want. It is to disable email-readers from revealing the email is received by fetching remote data
2022-05-31 12:59:38 carewolf but that behavior was all kinds of broken and arbitrary. The difference with setting it to true, is just loading html content set with with html. But it could be worked around by using XHR
However, even with that change, DNS prefetch links are still leaked, based on my tests with https://www.emailprivacytester.com/ - see https://www.emailprivacytester.com/testDescription?test=dnsLink for context. Thus, based on that, senders could still tell when the email has been read.