EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 28 Oct 2020, 07:54 AM   #1
DumbGuy
Senior Member
 
Join Date: Oct 2008
Posts: 190
Question Webmail: Nefarious Javascript ?

I've been wondering... Is there a risk a bad actor can include nefarious javascript in an email, send it me/anyone, and then it executes while viewing the message in FastMail's webmail ?

All these years I haven't worried about it, since I know such message content would be included in the domain FastMailUserContent.com , and I use a javascript firewall when browsing (Firefox + NoScript) to block script executions from that domain. (To be more accurate, all domains are blocked for scripting, unless whitelisted, such as for FastMail.com) I'm confident such javascript would thus be blocked when reading messages.

Now, something happened within the past day or so, whereby suddenly all images within my (webmail-read) messages would not be shown, and this is of course after I click at the top of the message to display images (actually, I use the keyboard shortcut, capital 'L').

I quickly figured out that I needed to, for some unknown reason, whitelist FastMailUserContent.com in my JS firewall (NoScript) on all of my devices/browsers, and suddenly images in emails began displaying again. I'm not sure why this is suddenly needed after all these years otherwise. Did FM begin requiring JS to display images, perhaps as some security precaution?

But now I'm back to the original evil-javascript concern and wonder if I'm suddenly vulnerable to such incoming sly emails intended to execute bad JS in my browser when I read them. Does anyone know the risk here? Does FastMail (hopefully) somehow pre-emptively prevent JS execution in message content? No one ever really talks about this.

Thanks.
DumbGuy is offline   Reply With Quote

Old 29 Oct 2020, 10:18 PM   #2
rjbs
Junior Member
 
Join Date: Sep 2019
Location: Philadelphia, PA
Posts: 12
Basically: you shouldn't have to worry about it. Between scrubbing the content and sequestering it on another domain, you're being taken care of. Somebody else might give a long detailed reply but the short answer is: it gets a lot of thoughtl.
rjbs is offline   Reply With Quote
Old 30 Oct 2020, 08:56 AM   #3
DumbGuy
Senior Member
 
Join Date: Oct 2008
Posts: 190
Quote:
Originally Posted by rjbs View Post
Basically: you shouldn't have to worry about it. Between scrubbing the content and sequestering it on another domain, you're being taken care of. Somebody else might give a long detailed reply but the short answer is: it gets a lot of thoughtl.

Thx for the follow-up on this! I'd love to know if FM specifically scrubs JS before display. Maybe I'll file a Support ticket to find out. (I searched the Help pages, but no luck there.)
DumbGuy is offline   Reply With Quote
Old 30 Oct 2020, 02:36 PM   #4
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,626
The big improvements were done 5 to 6 years ago. See:Bill
n5bb is offline   Reply With Quote
Old 30 Oct 2020, 03:54 PM   #5
DumbGuy
Senior Member
 
Join Date: Oct 2008
Posts: 190

Thank you, Bill !
DumbGuy is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:32 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy