Protecting Boxer users from malicious HTML content

The use of HTML in email has long provided useful formatting capabilities, but the complexity in today's HTML rendering engines also provides many attack vectors for malicious parties to invade the privacy of message recipients. These engines provide many different avenues to load resources from third-party servers or execute the contents of scripts, making it extremely difficult to ensure that HTML authored by third parties doesn't trigger unwanted behavior.

Browser developers realized this was a significant problem quite some time ago, and in response developed a standard called Content Security Policy (CSP), which allows developers to specify clearly and comprehensively what resources may be loaded from where and what scripts are allowed to run. First proposed in 2004 and recognized as a W3C standard in 2012, CSP has long been supported by all major browsers and is widely used to protect HTML content.

In Boxer, we ensure that every place we render HTML data has a consistent CSP header to protect the user from unwanted behavior or invasion of privacy. The CSP header ensures that JavaScript outside of that included in the application cannot run, that we don't load frames, fonts, or other objects from the network, and that we control the allowed sources for every type of resource that CSP can protect.

The exact CSP policy in use can vary depending on the source of the HTML being displayed and the security policies configured by the administrator, so we cannot document the exact policy in use here. 

For additional information, please refer to the following:

Support Contact Information

To open a Support Request, please call your local AirWatch support line or submit a Support Request via myAirWatch.


Best Regards,

The AirWatch Team

Have more questions? Submit a request


Article is closed for comments.