Just as the title states, do non-web based email clients (e.g. Microsoft Outlook) respect CSP HTTP headers?
Specifically, I want to prevent hotlinking of images hosted on my domain within HTML emails with these HTTP headers:
Cross-Origin-Resource-Policy: same-origin
Vary: Origin
This recent Microsoft CSP article may be of help.
In the past, anything that was non-browser would just ignore. It's best to test your policy against whatever method you're trying to prevent. You know what assume stands for.
One thing that I find effective & troubling is hash file name changing with expiring timestamps.
Hope this helps.
That article seems to be relevant only to Microsoft Power Platform, which doesn't apply in this case, unless I am misunderstanding something.
I'm also realizing that my question is specific to CORS, not CSP, but I can make the presumption (or shall I never assume?) that they are both either supported or not supported.
A CDN can check the HTTP referer, to make sure the request does not originate from visitors on another site. This means it denies access to requests, when the HTTP referer does not include your domain name and not blank.
I also found another useful page on hotlinking that may give you some insight.
This reminds me of the time I wrote a simple web browser app. It would only work on "basic" sites. I wanted to display certain websites, only to discover they didn't allow any other apps outside of their User Agents of the 5 major browsers to access the site(s).
I feel like blocking IP addresses or domain names from using images is all that needs to be done. What does the hotlinking request look like, and can you differentiate it from browser requests?
If an app is shielding itself from your policies, you find out what it's using (or not) and block it.
olk.exe (Outlook)
msedgewebview2.exe (WebView2 Manager)
XPDAgent.exe (initiate scans for malware and other security threats, tracing network activity)
https://outlook.office.com/api
akamaitechnologies.com (Akamai image server)
52.96.41.146 (Microsoft Azure)
20.42.65.88 (Microsoft Azure)
...
52.96.119.130 (Microsoft Abuse IP Database)
CSP (Content Security Policy) restricts what content can load on a webpage. It aims to prevent malicious scripts or unwanted content.
Email clients generally don't follow website CSP rules. They often render emails in their own way, bypassing the website's security settings.
So, while website CSP can't directly control email content, it can still play a role in overall security. For example, a website might use CSP to restrict where images in its emails can be loaded from, potentially limiting the risk of malicious content.
Here's a Simpler Analogy:
Imagine CSP as a security guard at a building's entrance. They check everyone entering. Email clients are like special guests who can bypass the guard and enter directly. However, the security guard might still be able to check where these guests got their things (like images in emails) for any suspicious items.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.