[MlMt] Any way to reload MmMessagesWebView/stylesheet.css at runtime?

[Benny Kjær Nielsen]

On 27 Jan 2016, at 23:56, Philip Paeps wrote:

> While tinkering with my PGP-mystery earlier today, I discovered that 
> my hacked up stylesheet.css has left me with a bright yellow box / 
> frame on a cream background in some cases (partially signed messages).
>
> How would I go about changing the style of partially signed messages?  
> I am guessing it's something like this but with different `type=` and 
> `subtype=` parameters.
>
> div.bodypart[type=message][subtype=rfc822] { }

No, that would target embedded emails (“Forward as Attachment”).

I think you can target a signed part like this:

	div.bodypart[type=multipart][subtype=signed] { }

But the yellow border is currently hardcoded as can be seen in this part 
of the generated HTML:

	<div class="message">
		<div class="bodypart" unique_id="247672" type="multipart" 
subtype="mixed" disposition="inline">
			<div style="border-style:solid; border-width: 1px; 
border-color:yellow; padding: .5em; margin: .5em 0em;">
				<div class="bodypart" unique_id="247673" type="multipart" 
subtype="signed" disposition="inline">

It was a quick hack to make sure that MailMate clearly indicates if 
someone has taken a signed email and extended its content with unsigned 
body part(s). This is essentially what often happens on the mailing list 
when the footer is added.

I've now changed it such that you can style it with a custom stylesheet. 
Look for `div.security` in the default stylesheet. I haven't changed how 
it looks (which is pretty ugly). You are welcome to share it if you come 
up with something better.

Off topic related security fact:

Last time I checked, Apple Mail handled this incorrectly for S/MIME 
messages. I reported it 3 years ago and it was marked as a duplicate, 
but it's still an open bug. I guess that means they don't think it's 
important and that I can share this information publicly...

Checking again I can see that this is still a problem on El Capitan. My 
example message was an email from an Apple employee sent to a mailing 
list. I extended it with some additional text and an attachment. These 
parts are naturally unsigned, but Apple Mail displays it like everything 
is signed.

At least it appears it's not possible to put the unsigned content before 
the signed content. It doesn't trigger a warning, but Apple Mail then 
simply ignores that the message has signed parts at all. I just realized 
that it *is* possible to make the signed part appear as an attachment. 
By providing a filename then it's even possible to make it appear as if 
it's some kind of failed logo. It looks like this:

![](cid:B0EE9917-CB68-45C8-A59E-FBC72771415A at freron.com 
"apple_mail_example.png")

There are no limits with regard to the text or attachments added to this 
message.

I haven't checked any other email clients, but I doubt it's a common 
issue. I'm guessing most email clients would just ignore that the email 
is signed and/or encrypted. Also don't interpret it as me stating that 
MailMate is more secure than Apple Mail. MailMate has its own issues and 
I know Apple has plenty of security experts much more capable than I am. 
(I do think one of them should fix this bug though.)

Note that the Apple employee used in my example is completely unrelated 
to the issue itself. He's not to blame. I just needed a publicly 
available email to construct a convincing example.

I have attached the example email if anyone wants to try it out in Apple 
Mail or other email clients. That should also test how MailMate handles 
it...

...and this shows that MailMate does not like the `attachment` 
disposition of the `multipart/signed` body part. It is shown both inline 
(as it should) and as an attachment (which is shouldn't). Worse, 
clicking “Quick Look” shows the wrong attachment.

I've fixed these bugs and I've added a new feature: The context 
sensitive menu now includes a “Detach Message” menu item. This 
extracts the attached email and puts it in the same mailbox. It is also 
automatically selected. This is also useful for the “digest message” 
issue discussed recently on the mailing list.

Hold down ⌥ when clicking “Check Now” in the Software Update 
preferences pane to get the test release.

> A few more comments in stylesheet.css would be helpful. :)

Apparently I'm too busy ranting on the mailing list :-)

-- 
Benny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20160129/84544479/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apple_mail_example.png
Type: image/png
Size: 35268 bytes
Desc: not available
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20160129/84544479/attachment-0001.png>
-------------- next part --------------
An embedded message was scrubbed...
From: Ian Anderson <iana at apple.com>
Subject: The world is going under tomorrow
Date: Sun, 16 Jan 2013 16:31:36 -0800
Size: 7563
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20160129/84544479/attachment-0001.eml>