On Jul 3, 2014, at 00:57 , Torsten Irländer <[email protected]> wrote:
> Hmm... I was thinking of a simple HTML mail with some JS code which gets > executed in Alice browser when opening the Mail. Is this problematic to start > because the webmailer hopefully escapes and strips such malicious code? Even with JS code in an HTML mail within a browser, cross domain policies are still enforced. > > Is it? The request is triggered in Alice browser window when opening the > email. Maybe I need to read more about the cross domain policy? I would recommend reading up on cross domain policies, it is going to be a lot more helpful than you trying to guess what is going to happen when someone receives an email. There are very specific requirements that have to be met for a cross domain GET request to fetch data and allow the page it is being loaded into to use said data. > > Ok, that seems to be clear. > Cool. > Torsten Bert
smime.p7s
Description: S/MIME cryptographic signature
