Skip to page content or Skip to Accesskey List.

Work

Main Page Content

Why Developers Don T Want Html Email

Posted on 21 Feb 2000

in Commentary & Society

by Daniel Cody (djc)

Rated 4.03 (Ratings: 10)

Want more?

 

Daniel Cody

Member info

User since: 14 Dec 1998

Articles written: 146

In an opinion article today, Dave Winer contemplates, "Why developers want HTML rendering in the OS" and goes on to explain his experience of sending an email to a group of people. The great thing was, according to Dave, this email included a piece of Javascript that made a call back to a server where it could run a random banner-ad type script, which naturally, displayed a random banner ad right there in your email client!

Dave goes on to give a brief explanation of how this all happened, drops the expected Linux references, and summarizes with thanks to Microsoft for providing the software that is "enabling the revolution."

Revolution? To any security minded person, this is more of a nightmare! How does javascript embedded email constitute a revolution? If anything, allowing javascript to be executed by your email client is a serious compromise of the security of your system. However, I'm not here to talk about the security issues surrounding scriptable email messages, that's been beaten to death already on BugTraq:

On top of the security issues listed above, imagine what kind of javascript enabled spam you could get from people! Now instead of spam email that has a link to the "Make Money Fast" website, your javascript enabled email client parses a document.open function that calls up the "Make Money Fast" website in your browser? Porn pop up windows anyone? You get the idea..

Which developers want HTML email - much less javascript enabled email - in their inbox? The majority of developer mailing lists in fact discourage sending any sort of non-text email, including HTML and javascript encoded email. Why does Dave make such a broad statement claiming that this is what "Developers" want? I am a developer, and Dave sure as hell doesn't speak for me. This article appeared on scripting.com, but I doubt many scripting developers would agree with Dave either. A casual reader, teacher, or executive might stumble across a site about scripting such as scripting.com and think that what Dave is saying is in fact what people that 'script' and 'develop' want.

In summary, I think Dave (as well as companies like Microsoft) should think more about the security and privacy issues that surround a topic like this, and protect us as users first before developing functionality that might put our sensitive information at risk trough the use of an insecure technology such as scriptable email.

Dan lives a quiet life in the bustling city of Milwaukee, WI. Although he founded what would become evolt.org in 1998, he's since moved on to other projects and is now the owner of Progressive Networks, a Zimbra hosting company based in Milwaukee.

His personal site can be found at http://dancody.org/

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.