Javascript in emails: Bad idea? (Updated)

I asked on Twitter on October 26th if people thought it was a bad idea to include Javascript in email. The response was universally that it was a "really bad idea." As Unica's Len Shneyder put it, "Terrible idea! [It's a] potential security hole and like a .44 magnum to your toe." He goes on to point out that lots of places will block your mail based on javascript content. I've run into this myself; spam filterers find javascript in email to be a security risk.

Goodmail's Daniel Dreymann replied on Twitter with: "JavaScript in email is a really bad idea (ISPs delete it) unless you use Goodmail's CertifiedVideo (for some domains)." I asked him if he wanted to provide a bit more detail about the CertifiedVideo product, and he kindly provided the following: "Goodmail's CertifiedVideo solutions allow email senders to securely, safely and easily use JavaScript code within their opt-in email campaigns.

"High Level Overview: 1. The JavaScript code must be pre-approved by Goodmail. Goodmail then provides a cryptographically signed snippet back to the sender to insert into the message. Note that the sender must also be an accredited Goodmail sender and the message must also contain a Goodmail token on it. 2. Participating mailbox providers then perform a cryptographic check on the snippet and the token. The message is then delivered into the inbox, and the webmail user interface also enables the JavaScript within the validated snippet to run. Any other JavaScript is subject to the mail server's standard blocks."

0 comments: