Recent versions of Emacs have a really good renderer for HTML written entirely in Elisp. This renderer (shr) can be used for displaying HTML emails, documentation, etc. However, it seems that shr retrieves remote resources referenced in HTML documents (e.g. images). If the HTML is untrusted, as in the case of spam emails, this leads to a number of security and privacy concerns.
Question: How is it possible to prevent shr from accessing remote resources when rendering HTML?
shr.el has a (defvar shr-inhibit-images nil), and a
(defcustom shr-blocked-images nil "Images that have URLs matching this regexp will be blocked." :version "24.1" :group 'shr :type '(choice (const nil) regexp)) It seems like (setq shr-inhibit-images t) stops the web requests when I view HTML emails.
Note that it turns off image display for eww entirely. That is OK for me but might not work for you. You can of course add an eww-mode keybinding that would toggle this + reload a given page when turning images on.
shr-inhibit-images to t when rendering HTML emails. This way eww should be unaffected. mu4e-shr2text. My modified version with inhibition of images can be found here: github.com/tmalsburg/mu/blob/master/mu4e/mu4e-contrib.el#L44 I doubt that statement about cookies and javascript. Cookies are not retrieved using separate connections and eww/shr has no support for javascript to my knowledge.
url.elonly.url.elrefuse access to remote resources? That sounds like it could break things in shr. I think shr should be able to distinguish between local and remote resources and it should have a mode in which it doesn't even attempt to retrieve remote stuff.