为什么电子邮件不直接加载图像 [英] Why do emails not load images directly

问题描述

电子邮件提供商，如Gmail，yahoo，hotmail不要直接在电子邮件中加载图像。这些服务要求您允许图像变暗。为什么他们这样做？是否防止XSS / CSRF？

Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF?

推荐答案

两个原因 - 隐私和CSRF。

Two reasons - Privacy and CSRF.

隐私

它允许发件人弄清楚我是否打开了电子邮件，没有我的知识。垃圾邮件发送者可以弄清他们的营销活动是否有任何影响。

It allows the sender to figure out whether I have opened the email or not, without my knowledge. Spammers can figure out whether their "marketing" campaigns have had any impact or not.

CSRF

为了使CSRF工作，受害者必须单击链接或访问攻击者页面。如果电子邮件客户端自动显示图像，只需打开电子邮件就足以启动CSRF攻击。

For CSRF to work, the victim has to click a link or visit the attackers page. If email clients were to display images automatically, just opening an email would be sufficient to launch a CSRF attack.

例如，让我们假设paypal有一个csrf漏洞。还假设用户已登录到paypal。现在，攻击者向用户发送电子邮件，其中包含< img src =http://paypal.com/transferfunds?fromAccount=victim&toAccount=attacker/> 。一旦用户打开电子邮件，资金将被转移。

For example, lets assume paypal had a csrf vulnerability. Also assume that the user was logged on to paypal. Now, an attacker sends the user an email with <img src="http://paypal.com/transferfunds?fromAccount=victim&toAccount=attacker"/>. As soon as the user opens the email, funds would get transferred.

这篇关于为什么电子邮件不直接加载图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！