Opened 6 years ago

Last modified 3 years ago

#13204 new defect

TOR Browser Bundle interprets 'mailto' links as downloads

Reported by: Orthogonal Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


If a 'mailto' link (e.g. mailto:user@…) is clicked, instead of starting a new email in an email client, the TOR Browser Bundle gives the warning:

Tor Browser cannot display this file. You will need to open it with another application.
Some types of files can cause applications to connect to the internet without using Tor.
To be safe, you should only open downloaded files while offline, or use a Tor live CD such as Tails.

mailto: addresses are not files, and no data can be leaked from clicking on one. To be fixed, this warning should be removed for mailto: addresses and an attempt should be made to open the address in the default system mail client.

Child Tickets

Change History (4)

comment:1 Changed 6 years ago by gk

While I may agree that the warning is inappropriate in this case I am not sure I want to have a client program on the user's computer opened by clicking on a mailto: link by default. I'd like to avoid the correlation between clicking on the mailto: link and IP address leaks due to mail clients e.g. auto-fetching mails on start-up.

comment:2 Changed 6 years ago by gk

See #7542 for a related bug.

comment:3 Changed 6 years ago by helloworld876

no data can be leaked from clicking on one

How about e-mail clients that automatically save a draft to the server if a new e-mail is edited? If the e-mail provider is malicious and the e-mail address can be linked to a Tor session, the user can be un-anonimized.

Last edited 6 years ago by helloworld876 (previous) (diff)

comment:4 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.