Project

General

Profile

Javascript in Icedove

koszko - 13 days ago -

Javascript is enabled by default in Icedove. Is this how it should be?

Globally-enabling js in browsers used to lead to executing a lot of nonfree software, often unknowingly1, and also to security vulnerabilities. Is it the same with email clients?

I read somewhere2, that Thunderbird in some ancient times blocked execution of js in emails, but kept it for RSS feeds. Is this still the case?

Until someone gives more info on this matter, I decided to disable js in Icedove through:

Edit->Preferences->Advanced->General->Config Editor...->I accept the risk!

Then I searched for javascript.enabled option and set it to false

[1] https://www.gnu.org/philosophy/javascript-trap.html
[2] https://www.ghacks.net/2012/01/21/how-to-make-thunderbird-more-secure/


Replies (1)

javascript in icedove - bill-auger - 13 days ago -

icedove is not the best email client for privacy-conscious folks
- it has a built-in web browser; and it the ability to configure
its behavior is minimal - im not sure; but that javascript
setting may only affect the web browser

overall, i would suggest using claws-mail, sylpheed, or some
other one, which does not have a built-in web browser - for
icedove, there is a 'icedove-hardened-preferences' package in the
[nonprism] repo, which disables many features of that sort,
including 'javascript.enabled'

https://git.parabola.nu/abslibre.git/tree/nonprism/icedove-hardened-preferences/icedove-branding.js

rather than disabling only javascript though, it is best to
disable rendering of HTML in emails entirely, presenting only the
plain text part of the email - with that setting, some emails
will be empty; but in practice, 99% of email which does not have
a plain text part, is advertisements

that can be done in the GUI; but its a bit clumsy to do, and
difficult to explain how; because the UI is ao awful (these exact
instructions would not have been accurate a few months ago; and
probably wont be accurate in a few months from now) - but today
you can:

  • press ALT+f
  • use then menu to select: view->message_body_as->plain_text
  • press the "hamburger" button
  • use the menu to select: preferences->preferences
  • click on the "lone ranger mask" button
  • deselect 'allow remote content' under the 'mail content' heading
    (1-1/1)