Opened 4 years ago

Closed 4 years ago

#1486449 closed Bugs (fixed)

RoundCube should ask browsers to disable DNS prefetching to protect user privacy

Reported by: trisk Owned by:
Priority: 3 Milestone: 0.4-beta
Component: Security Version: git-master
Severity: normal Keywords: dns prefetch, privacy, spam
Cc:

Description

Mozilla and Chromium browsers perform DNS prefetching to reduce the latency users experience in navigating links. This makes the browsers vulnerable to information leakage through links that are embedded in messages displayed in a webmail client like RoundCube. The implications for privacy and for spam address harvesting are similar to those of embedded images in HTML, as it is possible for the sender of a message to determine when and by whom a message was read.

The browser developers have added some means for a content provider to explictly request DNS prefetching to be disabled (or enabled). The Mozilla convention (compatible with Chromium) is documented here: https://developer.mozilla.org/en/controlling_dns_prefetching
The primary mechanism is a {{X-DNS-Prefetch-Control}} HTTP header.

The attached patch adds this header to all RoundCube pages. Plugins that access external resources can still opt-in domain names to prefetch:

private $rcmail;

function init()
{
  $this->rcmail = rcmail::get_instance();
  $this->add_hook('render_page', array($this, 'render_page'));
}

function render_page($p)
{
  $this->rcmail->output->add_header(
    html::tag('link', array('rel' => 'dns-prefetch',
                            'href' => 'http://deadgerbil.com/')));
}

Attachments (1)

disable-dns-prefetch.diff (1.2 KB) - added by trisk 4 years ago.
Send X-DNS-Prefetch-Control in send_nocacheing_headers

Download all attachments as: .zip

Change History (7)

comment:1 Changed 4 years ago by trisk

  • Priority changed from 4 to 3
  • Type changed from Patches to Bugs

I noticed someone has filed a CVE (
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0464) for this issue, and several packagers have incorporated the patch.

Can this be merged?

comment:2 Changed 4 years ago by alec

I think we should set X-DNS-Prefetch-Control header in send_nocaching_headers() function. That should be enough.

comment:3 Changed 4 years ago by trisk

The updated patch moves the X-DNS-Prefetch-Control header to send_nocacheing_headers as suggested and calls send_nocacheing_headers in more cases (regardless of whether the message in a frame, or we are viewing only a message part).

comment:4 Changed 4 years ago by alec

The patch looks not changed.

Changed 4 years ago by trisk

Send X-DNS-Prefetch-Control in send_nocacheing_headers

comment:5 Changed 4 years ago by trisk

Seems to have gone through this time.

comment:6 Changed 4 years ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

Applied in [ebc619c1].

Note: See TracTickets for help on using tickets.