Monday, November 03, 2003

Sandboxing Outlook's HTML Display.

One of the perfidious things out there on the web right now are the nicely formatted "scam" emails that purport to be from places like PayPal.  Sometimes it can be pretty hard to distinguish these from the real thing -- the problem is that the HTML displays inside of common programs, like Outlook, don't show you where they're getting their information from.  The email program cracks the email apart, extracts the HTML content, then hands it to a browser component for display.

What we need to do is have the email program pass the domain of the reply-to or message-source field to the browser component, which is then instructed to not display anything that is not from that domain.  HTTP requests for that content in that component will not be sourced from anywhere but the indicated domain.  What's more, if any part of the page tries to hit something outside that domain, the entire message will not display.

This will pretty much eliminate HTML-formatted spam email.  It won't work because the pages can't access anything other than the server that sent the email.  Forge that, and your email doesn't display.

Note that we can extend this concept to include regular email as well.  If the email contains a web address that comes from anywhere other than the domain that sent the address, we can elect to not display it.  Of course, this messes up having one friend send a link to another...so it's not particularly workable as is.


1:21:29 PM    


© Copyright 2003 Ross Judson .
Last update: 11/9/2003; 12:02:12 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Java Etc." in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.