Opened 3 years ago
Closed 3 years ago
#1486449 closed Bugs (fixed)
RoundCube should ask browsers to disable DNS prefetching to protect user privacy
| Reported by: | trisk | Owned by: | |
|---|---|---|---|
| Priority: | 3 | Milestone: | 0.4-beta |
| Component: | Security | Version: | git-master |
| Severity: | normal | Keywords: | dns prefetch, privacy, spam |
| Cc: |
Description
Mozilla and Chromium browsers perform DNS prefetching to reduce the latency users experience in navigating links. This makes the browsers vulnerable to information leakage through links that are embedded in messages displayed in a webmail client like RoundCube. The implications for privacy and for spam address harvesting are similar to those of embedded images in HTML, as it is possible for the sender of a message to determine when and by whom a message was read.
The browser developers have added some means for a content provider to explictly request DNS prefetching to be disabled (or enabled). The Mozilla convention (compatible with Chromium) is documented here: https://developer.mozilla.org/en/controlling_dns_prefetching
The primary mechanism is a {{X-DNS-Prefetch-Control}} HTTP header.
The attached patch adds this header to all RoundCube pages. Plugins that access external resources can still opt-in domain names to prefetch:
private $rcmail;
function init()
{
$this->rcmail = rcmail::get_instance();
$this->add_hook('render_page', array($this, 'render_page'));
}
function render_page($p)
{
$this->rcmail->output->add_header(
html::tag('link', array('rel' => 'dns-prefetch',
'href' => 'http://deadgerbil.com/')));
}
Attachments (1)
Change History (7)
comment:1 Changed 3 years ago by trisk
- Priority changed from 4 to 3
- Type changed from Patches to Bugs
comment:2 Changed 3 years ago by alec
I think we should set X-DNS-Prefetch-Control header in send_nocaching_headers() function. That should be enough.
comment:3 Changed 3 years ago by trisk
The updated patch moves the X-DNS-Prefetch-Control header to send_nocacheing_headers as suggested and calls send_nocacheing_headers in more cases (regardless of whether the message in a frame, or we are viewing only a message part).
comment:4 Changed 3 years ago by alec
The patch looks not changed.
comment:5 Changed 3 years ago by trisk
Seems to have gone through this time.
comment:6 Changed 3 years ago by alec
- Resolution set to fixed
- Status changed from new to closed
Applied in [ebc619c1].
I noticed someone has filed a CVE (
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0464) for this issue, and several packagers have incorporated the patch.
Can this be merged?