Privacy: Mailspring loads assets on view even with "automatically load images" unchecked

Description

Apparently Mailspring loads things like CSS and JS in its viewer? The option for disabling “automatically load images” should be changed to “automatically load assets” and modified to include all assets over remote connections.

I have found that an email containing a remote CSS asset will still load that CSS asset, thus giving spammers or advertisers a means to track the email read.

Aside from this, its probably a bad idea to allow CSS/JS assets to load at all. AND the default should be DISABLED loading of assets. (default security & privacy first?)

To Reproduce…

  1. Disable “automatically load images”
  2. Enable firewall (like little snitch) or load wireshark
  3. Click on email with remote css asset and watch the asset attempt to load. Paypal and Ebay emails are good candidates to trigger this as they both inject css/js into their emails even though its considered bad practice.

Expected Behavior

Other mail clients use the vernacular “automatically load images” because they do NOT EVER load css/js. You might want to consider following that suit. But if not, then you might want to change the concept from “images” to “remote assets” (since local embedded images should load fine)

Screenshots

This screenshot shows Little Snitch asking if we should allow a connection when viewing a paypal email. Note from the top of the paypal email you can see the UI indicating that automatic loading of images is disabled.
image

Setup

  • OS and Version: Mac 12.4
    • Installation Method: Installer / DMG
  • Mailspring Version: 1.10.3

Additional Context

Related to this bug which also breaks Privacy in Composer