Package: urlscan
Version: 0.9.5-1
Severity: wishlist
Tags: upstream
X-Debbugs-Cc: debbug.urls...@sideload.33mail.com
Tracker pixels are quite commonly used to snoop on email
recipients. URLscan ignores URLs that specify an image to render.
Ideally there should be two lists of URLs:
1) URLs that users might want to visit
2) IMG URLs. This list can be useful in two ways:
* Someone might want to view or fetch an image (though unlikely;
they can always render the message in a GUI browser for that)
* To view all possible urls that could be a tracker
pixel. Tracker pixels cannot easily be detected
programatically, so the URLs need to be presented in a way that
makes it easy for a human to detect it manually.
It might also be useful for a user to have the option of tagging an
URL they determine to be a tracker pixel which could then be added to
a database of known tracker pixel URLs. Senders tend to make tracker
pixels unique per recipient, not per message. So when another message
from the same sender is fed to urlscan, it could recognize already
identified tracker pixels and highlight them in some way. And more
usefully, the DB could be queried by the MUA so tracked messages can
be highlighted to users in the MUA.
If this functionality is implemented, the developer should be mindful
of embedded images. It’s possible for IMG tags to contain an embedded
“URI image”, whereby a very long string in base64 encodes an
image. Syntax is described here:
https://www.thesitewizard.com/html-tutorial/embed-images-with-data-urls.shtml
Such images are certainly not tracker pixels and should be
ignored. Though URI images would probably be ignored naturally since
they contain no URL anyway.
FYI, this same request was be submitted to the urlview project:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068252
-- System Information:
Debian Release: 11.5
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990,
'testing'), (990, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages urlscan depends on:
ii python3 3.9.2-3
ii python3-urwid 2.1.2-1
Versions of packages urlscan recommends:
ii libcanberra-gtk3-module 0.30-7
Versions of packages urlscan suggests:
ii elinks [www-browser] 0.13.2-1+b1
ii firefox-esr [www-browser] 102.6.0esr-1~deb11u1
ii lynx [www-browser] 2.9.0dev.6-3~deb11u1
ii neomutt 20201127+dfsg.1-1.2
ii ungoogled-chromium [www-browser] 90.0.4430.212-1.sid1
ii w3m [www-browser] 0.5.3+git20210102-6
-- no debconf information
