Bug 309513

Overview ---------------- Unsure if this has been reported here yet, can't find it on the bug list here, and looking thorough some change logs I don' see it mentioned in the security updates, although this is a flaw needing to be adjusted somehow, someway! In multiple email clients that leverage WebKits awesome features (e.g. Geary, KMail, Balsa, and Evolution to name a few), when testing fails the Link Preconnect test. This has been linked to WebKit handling of data, an upstream issue that if resolved here can make other downstream applications more secure. Please help Issue -------------- When the email contains `<link rel="preconnect" href="https://UNIQUE_TRACKING_HOSTNAME">`. When opening an email, before even clicking "Show" , to load remote content, the email client still opens a TCP connection that negotiates TLS, presenting the sending server with the "UNIQUE_TRACKING_HOSTNAME" allowing the Sender to get the real IP address of the Recipient, before even loading remote content. This is the case even when in the settings remote content loading is turned off. Conclusion ------------ Geary (my main application of choice) is affected by this and I and many digital safety minded people would greatly appreciate any upstream fixes