问题
Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF?
回答1:
Two reasons - Privacy and CSRF.
Privacy
It allows the sender to figure out whether I have opened the email or not, without my knowledge. Spammers can figure out whether their "marketing" campaigns have had any impact or not.
CSRF
For CSRF to work, the victim has to click a link or visit the attackers page. If email clients were to display images automatically, just opening an email would be sufficient to launch a CSRF attack.
For example, lets assume paypal had a csrf vulnerability. Also assume that the user was logged on to paypal. Now, an attacker sends the user an email with <img src="http://paypal.com/transferfunds?fromAccount=victim&toAccount=attacker"/>. As soon as the user opens the email, funds would get transferred.
回答2:
Because this allows the (potentially hostile sender's) server to know the email was received.
回答3:
A lot of spam mails use images to identify valid mail addresses, by embedding malicious images in content. For example:
<img src="http://example.com/validImage.png?mail=toto@example.com" />
来源:https://stackoverflow.com/questions/3607518/why-do-emails-not-load-images-directly