Is it possible to embed an interactive Google Map in an email?
I know it is possible with static maps, but I'm starting to doubt if it is possible with interactive ones.
No.
I don't even know whether the map uses Javascript, Flash, Java, HTML5, or anything else, but I can still confidently say 'no'.
There's virtually no chance that your recipient's mail client will support it.
You might come across some mail clients (most likely webmails) that haven't blocked that kind of content, but that will almost certainly be an oversight on their part.
No decent mail software is going to support it, because the technologies involved are either complex or a security risk to the end user.
And even if some newer mail clients were to somehow provide support for it, you need to consider that many people have old email clients. It's commonly said that you have to design emails like it's 1999.
The best you will be able to do is include a link in your message, to a hosted map.
Related
Although I know a lot of email clients will pre-fetch or otherwise cache images. I am unaware of any that pre-fetch regular links like some link
Is this a practice done by some emails? If it is, is there a sort of no-follow type of rel attribute that can be added to the link to help prevent this?
As of Feb 2017 Outlook (https://outlook.live.com/) scans emails arriving in your inbox and it sends all found URLs to Bing, to be indexed by Bing crawler.
This effectively makes all one-time use links like login/pass-reset/etc useless.
(Users of my service were complaining that one-time login links don't work for some of them and it appeared that BingPreview/1.0b is hitting the URL before the user even opens the inbox)
Drupal seems to be experiencing the same problem: https://www.drupal.org/node/2828034
Although I know a lot of email clients will pre-fetch or otherwise cache images.
That is not even a given already.
Many email clients – be they web-based, or standalone applications – have privacy controls that prevent images from being automatically loaded, to prevent tracking of who read a (specific) email.
On the other hand, there’s clients like f.e. gmail’s web interface, that tries to establish the standard of downloading all referenced external images, presumably to mitigate/invalidate such attempts at user tracking – if a large majority of gmail users have those images downloaded automatically, whether they actually opened the email or not, the data that can be gained for analytical purposes becomes watered down.
I am unaware of any that pre-fetch regular links like some link
Let’s stay on gmail for example purposes, but others will behave similarly: Since Google is always interested in “what’s out there on the web”, it is highly likely that their crawlers will follow that link to see what it contains/leads to – for their own indexing purposes.
If it is, is there a sort of no-follow type of rel attribute that can be added to the link to help prevent this?
rel=no-follow concerns ranking rather than crawling, and a no-index (either in robots.txt or via meta element/rel attribute) also won’t keep nosy bots from at least requesting the URL.
Plus, other clients involved – such as a firewall/anti-virus/anti-madware – might also request it for analytical purposes without any user actively triggering it.
If you want to be (relatively) sure that any action is triggered only by a (specific) human user, then use URLs in emails or other kind of messages over the internet only to lead them to a website where they confirm an action to be taken via a form, using method=POST; whether some kind of authentication or CSRF protection might also be needed, might go a little beyond the context of this question.
All Common email clients do not have crawlers to search or pre-build <a> tag related documents if that is what you're asking, as trying to pre-build and cache a web location could be an immense task if the page is dynamic or of large enough size.
Images are stored locally to reduce load time of the email which is a convenience factor and network load reduction, but when you open an email hyperlink it will load it in your web browser rather than email client.
I just ran a test using analytics to report any server traffic, and an email containing just
linktomysite
did not throw any resulting crawls to the site from outlook07, outlook10, thunderbird, or apple mail(yosemite). You could try using a wireshark scan to check for network traffic from the client to specific outgoing IP's if you're really interested
You won't find any native email clients that do that, but you could come across some "web accelerators" that, when using a web-based email, could try to pre-fetch links. I've never seen anything to prevent it.
Links (GETs) aren't supposed to "do" anything, only a POST is. For example, your "unsubscribe me" link in your email should not directly unsubscribe th subscriber. It should "GET" a page the subscriber can then post from.
W3 does a good job of how you should expect a GET to work (caching, etc.)
http://www.w3schools.com/tags/ref_httpmethods.asp
I'm attempting to make a mail client that is HTML5/JS only where users would have to define their mail server and credentials.
I've surfed google leading to dead ends and figured that this is the next best place (or superuser.com).
I was thinking of using HTML5 WebSocket if I could to make the connection to the server but I don't know enough of smtp, imap, or pop3's architecture to understand how javascript could pass the args and perform what I want it to do.
PHP cannot be involved in this project otherwise I wouldn't be asking the question.
Any help in locating this would be fantastic.
Nothing is impossible. Except this.
In standard HTML or JavaScript, you can't make raw-socket connections, which is what you'd need to speak any of the protocols you've listed. The WebSocket API doesn't help you, because the server must also speak WebSockets, and mail servers don't. This is actually all a good thing, though. Imagine if you visited a random website and it telnetted to your home router, setting it on fire and burning down your house. That's what websites would be able to do if they could initiate plain TCP socket connections.
You have a few options I can think of, neither of which involves building a webpage. (And to be clear, you didn't say your project had to be a webpage; you merely said HTML/JS, so these are indeed legitimate options.)
First is something like node-webkit. As the readme says, "You can write native apps in HTML and Javascript with node-webkit." You'll still have to distribute it as a native app, because that's what it is.
Second is a Chrome app, specifically using the chrome.socket API. But have fun writing a TLS layer over those sockets, which you'll find is a requirement for almost any mail server these days. If you succeed in doing that, you'll be able to distribute your mail client in the Chrome Web Store, where I assure you an email client will be quite popular.
Third, write a webserver that operates locally, so your users will visit something like http://localhost:9999/mail in their browser. This will be a real pain to distribute, but you can use almost any technology you want.
I'm sure there's a fourth valid option, and someone else can chime in on that one.
Best of luck.
Some people have asked similar questions about protecting HTML5 apps and protecting freemium apps, but not both together. I'm asking this separately because I have the impression (whether right or wrong) that HTML5 is particularly insecure vs native.
I'm working on an embedded HTML5 app I want to monetize using the freemium model, but I'm worried about how to keep its virtual currency and scoring variables from being too easily messed with by the end user, as I fear this could negatively impact revenue if some hacker (no offense intended by the term) were to create a YouTube video or blog posting about an exploit. I think it is pretty unlikely early on for this to happen, but I think vulnerability will matter more with popularity. I'm also worried about with which someone can copy an app.
I though realize both are possible inherently with an app installed on the device.
My questions are:
How easy is it, in your opinion or experience, to mess with an
unobfuscated embedded (not browser dependent) HTML5 app and its Javascript vs a native app with core files based on Java or Objective-C data?/How well does obfuscation work on HTML5 apps vs native obfuscated
apps in terms of data protection?
How difficult is it to obfuscate an HTML5 app vs using something like Proguard on regular Android apps?
Does obfuscation cause HTML5 to noticeably slow down for normal users?
Lastly, do you think it's practical to have an HTML5 app with
freemium features? Or do you personally think it is too vulnerable?
What I'm basically trying to figure out with them is whether HTML5 is particularly vulnerable or hard to protect, at least when compared to protecting native apps. If an obfuscated HTML5 app is as secure or insecure as a regular app, then I guess I'm okay with it.
The only way to prevent cheating (and unlocking freemium items is a kind of cheating) is to move all the relevant game logic to the server. Forget about obfuscation. When it's executed on the clients machine, it's under the control of the user. Obfuscation can slow the user down, but it can't stop someone who is determined to hack it. This doesn't just apply to javascript, it applies to every game client, no matter what programming language it is written in.
A general rule of designing cheat-proof multiplayer games is to never trust the client and do all calculations which are relevant for gameplay on the server.
In my opinion it is better to obfuscate AND never trust the client.
Not only that, I would even compress the obfuscated code and I would add an obfuscated decompressor in the client and/or the server.
The technique is viable and it is what professional companies are using all over the web.
Now, to answer your questions:
It's not easy to mess with a correctly obfuscated code (something
which will require you to compress/crypt even numbers).Professional
hackers won't mess with your code "for sport" unless they're given
money to do so and even in that case, they'll have a hard time doing
it (that's why I don't believe in the "forget about obfuscation" way
of thinking).
Obfuscation works really well in terms of data protection.Your code
becomes unreadable and, to some extent, it can be seen as a
compression algorithm thus it reduces file size and loading times.
Obfuscation is easy if you rely on professional tools which can
obfuscate, for example, JS, html5, css and php all together. It's
harder only if you have to develop such tools.But there exists
open-source software too in the field.
It slows down "normal users" definitely, they feel lost in front of
you code.
It's practical to have an HTML5 app with freemium features but it
all depends on your implementation of such options.
If done correctly as stated above, it's less vulnerable but,
personally, I don't like this business model.
I am building an email marketing application, and in that I want to provide a functionality for the user to view his html mails in different mail clients. How can I create this? Please help.
You might also want to check out Email on Acid - they have an API out that is cheaper than Pivotal Veracity and Litmus and their results are generally much faster.
Any email client will either use its own inbuilt HTML renderer/viewer(which generally will be a standards compliant) or the default one set on that particular OS. So if your email template looks same on all the browsers, it should show the same on all email clients. Check this from mailchimp
Interesting question!
To get useful results, you would have to actually render the E-Mail in each client. There is zero chance to do that within a client application, due to a multitude of platform and licensing issues.
The only way I can see is building some sort of web service, running on a server on which each client runs using a scripting engine (maybe with virtual machines for the various platforms, Windows, Mac OS, Linux...), and making screen shots of the rendered result, similar to what browsershots does for browsers.
While that is not impossible - you may even be able to use browsershots as a basis - it's going to be tough to set up, and possibly expensive as you would have to buy a number of commercial mail clients (Outlook, Lotus...)
You might be able to gain a big competitive edge by implementing this, but the effort would be huge.
The only viable option is to actually have the email rendered in a set of email clients, with the user of your service being given screenshots of the output.
The whole process can be automated. See how Litmus does this.
We've used a company called Pivotal Veracity in the past. Basically, you send your test email to an email address they provide and then you log in to their application to see how it renders in different email clients (even web clients). You can view the email as it would look with images on or images off.
I've been playing with HTML5 location lookups recently and its relatively straightforward to pull someones location from a device like an iPhone.
I want to write an app that uses location data, but its important that the location be factual. In other words I need to prevent people from authoring a fake post to the backing website / web service with mocked up GPS coordinates.
Is there anyway to collect GPS coordinates from a mobile device using the HTML5 geolocation apis and securely transmit that back to a web service in a way that someone wouldn't be able to author a post with the same data and "game the system" so to speak?
Not without some serious encryption on the payload on the client. Which if there is money involved, someone will reverse engineer and figure out how to create valid payloads themselves. Remember if there is money or fame involved then somebody will think the effort to do something like this is "worth it". If your web service is public and not using some kind of encryption nothing on the client will ensure that someone with a network connection can't sniff your protocol and fake whatever data they want. And SSL won't cut it. Anyone can proxy the SSL connection on their local network decrypt the payload and inspect it to their hearts content.
No. Completely agree with the answer from fuzzy lollipop. If you’re talking to a remote machine, the data can always be faked. Always always. What makes you certain you’re even talking to a mobile device at all? The User-Agent string? Pfft, it can be faked. Talking to a GPS? Pfft, could be coming from a predefined path. Talking to a web browser? Pfft, could be a bot, or some other malware.
And don’t think encryption (i.e. HTTPS) is going to help you. The client could edit any of your HTML, CSS, or JavaScript on-the-fly — take Firebug or Greasemonkey for example.
The reasons why you can’t trust the client are the same as the reasons why exploits such as SQL or HTML injection are so common. Ever heard the phrase “the customer is always right”? Well, the customer may be right, but the client is always untrustworthy.
The system is there to be gamed. As flaws are discovered, you patch them one by one. It’s more like leapfrog, rather than achieving the holy grail. Bruce Schneier’s quip “security is a process, not a product” comes to mind. Asking for a system that “can’t be gamed” is missing the point. What you need to be doing is creating a system where the server sanitises the data, and/or rejects bad data — fuzz testing is not a bad idea, either.
That’s about the best you can do without shipping custom untamperable mobiles to your customers with the OS in ROM, and the inside sealed with epoxy.