|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
28 Oct 2020, 06:54 AM | #1 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Webmail: Nefarious Javascript ?
I've been wondering... Is there a risk a bad actor can include nefarious javascript in an email, send it me/anyone, and then it executes while viewing the message in FastMail's webmail ?
All these years I haven't worried about it, since I know such message content would be included in the domain FastMailUserContent.com , and I use a javascript firewall when browsing (Firefox + NoScript) to block script executions from that domain. (To be more accurate, all domains are blocked for scripting, unless whitelisted, such as for FastMail.com) I'm confident such javascript would thus be blocked when reading messages. Now, something happened within the past day or so, whereby suddenly all images within my (webmail-read) messages would not be shown, and this is of course after I click at the top of the message to display images (actually, I use the keyboard shortcut, capital 'L'). I quickly figured out that I needed to, for some unknown reason, whitelist FastMailUserContent.com in my JS firewall (NoScript) on all of my devices/browsers, and suddenly images in emails began displaying again. I'm not sure why this is suddenly needed after all these years otherwise. Did FM begin requiring JS to display images, perhaps as some security precaution? But now I'm back to the original evil-javascript concern and wonder if I'm suddenly vulnerable to such incoming sly emails intended to execute bad JS in my browser when I read them. Does anyone know the risk here? Does FastMail (hopefully) somehow pre-emptively prevent JS execution in message content? No one ever really talks about this. Thanks. |
29 Oct 2020, 09:18 PM | #2 |
Junior Member
Join Date: Sep 2019
Location: Philadelphia, PA
Posts: 12
|
Basically: you shouldn't have to worry about it. Between scrubbing the content and sequestering it on another domain, you're being taken care of. Somebody else might give a long detailed reply but the short answer is: it gets a lot of thoughtl.
|
30 Oct 2020, 07:56 AM | #3 | |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Quote:
Thx for the follow-up on this! I'd love to know if FM specifically scrubs JS before display. Maybe I'll file a Support ticket to find out. (I searched the Help pages, but no luck there.) |
|
30 Oct 2020, 01:36 PM | #4 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
The big improvements were done 5 to 6 years ago. See:Bill
|
30 Oct 2020, 02:54 PM | #5 | |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Quote:
Thank you, Bill ! |
|