EmailDiscussions.com - View Single Post

DumbGuy · 28 Oct 2020, 06:54 AM

I've been wondering... Is there a risk a bad actor can include nefarious javascript in an email, send it me/anyone, and then it executes while viewing the message in FastMail's webmail ?

All these years I haven't worried about it, since I know such message content would be included in the domain FastMailUserContent.com , and I use a javascript firewall when browsing (Firefox + NoScript) to block script executions from that domain. (To be more accurate, all domains are blocked for scripting, unless whitelisted, such as for FastMail.com) I'm confident such javascript would thus be blocked when reading messages.

Now, something happened within the past day or so, whereby suddenly all images within my (webmail-read) messages would not be shown, and this is of course after I click at the top of the message to display images (actually, I use the keyboard shortcut, capital 'L').

I quickly figured out that I needed to, for some unknown reason, whitelist FastMailUserContent.com in my JS firewall (NoScript) on all of my devices/browsers, and suddenly images in emails began displaying again. I'm not sure why this is suddenly needed after all these years otherwise. Did FM begin requiring JS to display images, perhaps as some security precaution?

But now I'm back to the original evil-javascript concern and wonder if I'm suddenly vulnerable to such incoming sly emails intended to execute bad JS in my browser when I read them. Does anyone know the risk here? Does FastMail (hopefully) somehow pre-emptively prevent JS execution in message content? No one ever really talks about this.

Thanks.

28 Oct 2020, 06:54 AM	#1
DumbGuy Essential Contributor Join Date: Oct 2008 Posts: 212	Webmail: Nefarious Javascript ? I've been wondering... Is there a risk a bad actor can include nefarious javascript in an email, send it me/anyone, and then it executes while viewing the message in FastMail's webmail ? All these years I haven't worried about it, since I know such message content would be included in the domain FastMailUserContent.com , and I use a javascript firewall when browsing (Firefox + NoScript) to block script executions from that domain. (To be more accurate, all domains are blocked for scripting, unless whitelisted, such as for FastMail.com) I'm confident such javascript would thus be blocked when reading messages. Now, something happened within the past day or so, whereby suddenly all images within my (webmail-read) messages would not be shown, and this is of course after I click at the top of the message to display images (actually, I use the keyboard shortcut, capital 'L'). I quickly figured out that I needed to, for some unknown reason, whitelist FastMailUserContent.com in my JS firewall (NoScript) on all of my devices/browsers, and suddenly images in emails began displaying again. I'm not sure why this is suddenly needed after all these years otherwise. Did FM begin requiring JS to display images, perhaps as some security precaution? But now I'm back to the original evil-javascript concern and wonder if I'm suddenly vulnerable to such incoming sly emails intended to execute bad JS in my browser when I read them. Does anyone know the risk here? Does FastMail (hopefully) somehow pre-emptively prevent JS execution in message content? No one ever really talks about this. Thanks.