EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   FastMail Forum (http://www.emaildiscussions.com/forumdisplay.php?f=27)
-   -   Webmail: Nefarious Javascript ? (http://www.emaildiscussions.com/showthread.php?t=77406)

DumbGuy 28 Oct 2020 06:54 AM
Webmail: Nefarious Javascript ?
 
I've been wondering... Is there a risk a bad actor can include nefarious javascript in an email, send it me/anyone, and then it executes while viewing the message in FastMail's webmail ?

All these years I haven't worried about it, since I know such message content would be included in the domain FastMailUserContent.com , and I use a javascript firewall when browsing (Firefox + NoScript) to block script executions from that domain. (To be more accurate, all domains are blocked for scripting, unless whitelisted, such as for FastMail.com) I'm confident such javascript would thus be blocked when reading messages.

Now, something happened within the past day or so, whereby suddenly all images within my (webmail-read) messages would not be shown, and this is of course after I click at the top of the message to display images (actually, I use the keyboard shortcut, capital 'L').

I quickly figured out that I needed to, for some unknown reason, whitelist FastMailUserContent.com in my JS firewall (NoScript) on all of my devices/browsers, and suddenly images in emails began displaying again. I'm not sure why this is suddenly needed after all these years otherwise. Did FM begin requiring JS to display images, perhaps as some security precaution?

But now I'm back to the original evil-javascript concern and wonder if I'm suddenly vulnerable to such incoming sly emails intended to execute bad JS in my browser when I read them. Does anyone know the risk here? Does FastMail (hopefully) somehow pre-emptively prevent JS execution in message content? No one ever really talks about this.

Thanks.

rjbs 29 Oct 2020 09:18 PM
Basically: you shouldn't have to worry about it. Between scrubbing the content and sequestering it on another domain, you're being taken care of. Somebody else might give a long detailed reply but the short answer is: it gets a lot of thoughtl.

DumbGuy 30 Oct 2020 07:56 AM
Quote:
Originally Posted by rjbs (Post 617857)
Basically: you shouldn't have to worry about it. Between scrubbing the content and sequestering it on another domain, you're being taken care of. Somebody else might give a long detailed reply but the short answer is: it gets a lot of thoughtl.

Thx for the follow-up on this! I'd love to know if FM specifically scrubs JS before display. Maybe I'll file a Support ticket to find out. (I searched the Help pages, but no luck there.)

n5bb 30 Oct 2020 01:36 PM
The big improvements were done 5 to 6 years ago. See:Bill

DumbGuy 30 Oct 2020 02:54 PM
Quote:
Originally Posted by n5bb (Post 617868)

Thank you, Bill !


All times are GMT +9. The time now is 03:13 AM.


Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy