Login/Register
Can I use HTML5 to send a client-side email?
Asked Answered
Solved javascriptemailhtmlclient-side
C

6

7

I want to send an email in HTML5. I don't want to force the user to open a mail client, I want to send the email directly from the web page.

On a side note, is there any way at all to do this in JavaScript? I know it's probably not possible, just wondering if there are any crafty ways to pull it off going completely through the client.

Capriole answered 29/3, 2011 at 2:54 Comment(4)
could be malicious, your web browser could be used to send spam if it was ever possible.Claud
agreed. browser vendors would try to prevent this at all costs.Ridglee
I think it is possible. See the below post. It could be used maliciously but I don't think browser vendors could necessarily stop it. Practically the likes of google would blacklist a site as malware if it was trying to setup a smtp botnet using these techniques.Afra
Security flaw: if the SMTP server you're connecting with requires password authentication, then you would have to expose that password (and its corresponding username) to the client. I.e. to your user's web browser. If your user was paying attention and extracted your password, then they would be able to use your SMTP server to send spam until you reset your password. They might even be able to use the password & username to change the password on the server, locking you out. EDIT: unless your SMTP server supports tokens, like smtpjs.com says it does.Toy
A
8

Yes it is possible. But not practical ** See Edit 2

Some HTML5 implementations include support for websockets, essentially a tcp connection to a server. Overlay some send/recv code and you can build a SMTP client.

In fact it looks like nodejs and websocket support has been used to implement a smtp client ... see here ...

You would still need a smtp server, username, password, etc just like a standard smtp client in order for it to work.

Using this method for spam would be unlikely as your smtp provider could easily cancel your account.

=== EDIT ===

Actually you could build a server less version, it would have to also implement name server lookups to find mx records. Chances are however that any decent SMTP servers maintain spamlist blacklist tables and connecting from an random ip address would see the email commonly marked as spam.

Also talking to smtp servers that require secure mail connections could be difficult.

As others have mentioned there are malicious uses to this implementation like sending spam. I guess it is possible you could be a HTML5 botnet creator but I would have thought that you would know most of this already :)

=== EDIT 2 ===

As Mark At Ramp51 mentioned, Handshaking is required with websockets. This was something I wasn't aware of. You would have to hack the websocket implementation to bypass handshaking.

The correct way is to have the web server forward the email.

Afra answered 29/3, 2011 at 3:33 Comment(13)
So, basically turn the client itself into the outbound SMTP server? Sounds like it could work. But, don't you need special privileges to get access to MX records? I guess you would have to just scrape a site that provides them. Im interested - where do you think I should start?Capriole
Domain Name lookup is just another protocol that could use websockets. You could implement that as well. Someone might have already done it thou ... github.com/skampler/ndnsAfra
I'd be inclined to agree with you if there wasn't a WebSocket handshake required by the protocol, if you look at the protocol handshake at the top of this article en.wikipedia.org/wiki/WebSockets The current SMTP protocol doesn't support this so you would be depending on the smtp server you are connecting to, to somehow be encapsulated by something that can satisfy this handshake. Additionally all the browsers that were slated to support it, dropped their support due to security concerns. Put simple, WebSocket and tcp sockets are not created equal.Ridglee
not enabled by default on most "decent" browser that would implement this featureClaud
So, is it worth a shot? I think that it's only really worth doing if it covers most or at least half of the popular browsers.Capriole
You cannot build a serverless version because most ISPs block port 25.Buck
No, don't waste your time. Any solution you come up with will be shut down by a browser vendor plugging the hole you've found, and you will just have to find another way to circumvent the system. If the job is too hard than you might be using the wrong tool, find the right tool.Ridglee
Don't get me wrong, I agree, you should be using the right tool for the job. Server based email sending is orders of magnitude easier.Afra
I haven't had a look at the handshaking but something like that would certainly make things difficult to carry out my suggestionAfra
Wow.... he unmarked me correct and marked you correct. I guess i shouldn't be surprised anymore.Ridglee
"Some HTML5 implementations include support for websockets, essentially a tcp connection to a server. Overlay some send/recv code and you can build a SMTP client." — Not true. WebSockets are not raw sockets.Feebleminded
"In fact it looks like nodejs and websocket support has been used to implement a smtp client" — No. You could build an HTTP server in Node.js that was also an SMTP client and then communicate with it using Web/Sockets … or you could just use regular HTTP and making an Ajax request to it. WebSockets are pointless for this. Their advantage is that they allow for server initiated messages which aren't helpful for this problem.Feebleminded
"You would have to hack the websocket implementation to bypass handshaking" — No. You'd have to use something that isn't WebScokets. It might be possible to do this with a browser extension, but I wouldn't be surprised if you'd need them to install a custom browser!Feebleminded
R
13

In short NO not directly from the client (excluding hacks).

you could make an ajax call to your server and send an email.

the problem with doing it from the client and not using a mail client is complicated. For example most consumer ISPs have their own SMTP relay that all outbound mail on port 25 must be transmitted over. You website will have trouble obtaining the proper information to do this. Secondly the webbrowser doesn't understand the SMTP protocol and neither does the XMLHttpRequest object.

So if you are a hacker ninja, maybe you can figure something out with ActiveX, Java Applets, or flash, but you basically would have to be operating directly with a tcp socket and issuing SMTP protocol commands over that socket.

There are many obstacles to overcome, in fact I don't know how to do it, but where there is will there is a way. Don't be surprised that if you do find a hack, it may be plugged swiftly by the major browser vendors.

Ridglee answered 29/3, 2011 at 3:0 Comment(4)
You might put a reference to Adobe Reader in your ninja list. It is so full of holes I'm sure someone could figure out how to pwn the clients email client... ;)Vanda
Thanks for the pointers on handshaking, it had been a while since I had looked at websockets.Afra
No problem man, it was a wake up call for myself actually. Before I went reading about them i had the same perception of them.Ridglee
Another non-standard possibility I think could be to use Firefox's sockets capabilities along with github.com/brettz9/asyouwish allowing use of JavaScript all the way (though Firefox only and requiring users to install the add-on).Hisakohisbe
A
8

Yes it is possible. But not practical ** See Edit 2

Some HTML5 implementations include support for websockets, essentially a tcp connection to a server. Overlay some send/recv code and you can build a SMTP client.

In fact it looks like nodejs and websocket support has been used to implement a smtp client ... see here ...

You would still need a smtp server, username, password, etc just like a standard smtp client in order for it to work.

Using this method for spam would be unlikely as your smtp provider could easily cancel your account.

=== EDIT ===

Actually you could build a server less version, it would have to also implement name server lookups to find mx records. Chances are however that any decent SMTP servers maintain spamlist blacklist tables and connecting from an random ip address would see the email commonly marked as spam.

Also talking to smtp servers that require secure mail connections could be difficult.

As others have mentioned there are malicious uses to this implementation like sending spam. I guess it is possible you could be a HTML5 botnet creator but I would have thought that you would know most of this already :)

=== EDIT 2 ===

As Mark At Ramp51 mentioned, Handshaking is required with websockets. This was something I wasn't aware of. You would have to hack the websocket implementation to bypass handshaking.

The correct way is to have the web server forward the email.

Afra answered 29/3, 2011 at 3:33 Comment(13)
So, basically turn the client itself into the outbound SMTP server? Sounds like it could work. But, don't you need special privileges to get access to MX records? I guess you would have to just scrape a site that provides them. Im interested - where do you think I should start?Capriole
Domain Name lookup is just another protocol that could use websockets. You could implement that as well. Someone might have already done it thou ... github.com/skampler/ndnsAfra
I'd be inclined to agree with you if there wasn't a WebSocket handshake required by the protocol, if you look at the protocol handshake at the top of this article en.wikipedia.org/wiki/WebSockets The current SMTP protocol doesn't support this so you would be depending on the smtp server you are connecting to, to somehow be encapsulated by something that can satisfy this handshake. Additionally all the browsers that were slated to support it, dropped their support due to security concerns. Put simple, WebSocket and tcp sockets are not created equal.Ridglee
not enabled by default on most "decent" browser that would implement this featureClaud
So, is it worth a shot? I think that it's only really worth doing if it covers most or at least half of the popular browsers.Capriole
You cannot build a serverless version because most ISPs block port 25.Buck
No, don't waste your time. Any solution you come up with will be shut down by a browser vendor plugging the hole you've found, and you will just have to find another way to circumvent the system. If the job is too hard than you might be using the wrong tool, find the right tool.Ridglee
Don't get me wrong, I agree, you should be using the right tool for the job. Server based email sending is orders of magnitude easier.Afra
I haven't had a look at the handshaking but something like that would certainly make things difficult to carry out my suggestionAfra
Wow.... he unmarked me correct and marked you correct. I guess i shouldn't be surprised anymore.Ridglee
"Some HTML5 implementations include support for websockets, essentially a tcp connection to a server. Overlay some send/recv code and you can build a SMTP client." — Not true. WebSockets are not raw sockets.Feebleminded
"In fact it looks like nodejs and websocket support has been used to implement a smtp client" — No. You could build an HTTP server in Node.js that was also an SMTP client and then communicate with it using Web/Sockets … or you could just use regular HTTP and making an Ajax request to it. WebSockets are pointless for this. Their advantage is that they allow for server initiated messages which aren't helpful for this problem.Feebleminded
"You would have to hack the websocket implementation to bypass handshaking" — No. You'd have to use something that isn't WebScokets. It might be possible to do this with a browser extension, but I wouldn't be surprised if you'd need them to install a custom browser!Feebleminded
B
2

This is not possible.

Instead, you should use AJAX to send the email on the server.

Buck answered 29/3, 2011 at 2:57 Comment(0)
P
1

You can't send the email using JavaScript alone. You'll need some form of server side processing (PHP, ASP, etc) to send the actual email.

There's a good tutorial on setting up an ajax form here: http://net.tutsplus.com/tutorials/javascript-ajax/submit-a-form-without-page-refresh-using-jquery/

It doesn't include the PHP (or ASP, etc) for sending the email, but there are plenty of tutorials out there for how to send an email using PHP.

Portwine answered 29/3, 2011 at 3:3 Comment(0)
O
1

Send email directly from Javascript

From official resource:

How does it work?

  1. Connect your email service Choose from a wide variety of email services. We support both transactional email services (Mailgun, Mailjet, Mandrill, SendGrid, Amazon SES and Postmark) and personal email services (AOL, Gmail, FastMail, iCloud, Mail.ru, Outlook, Yahoo, Yandex and Zoho).

  2. Create email templates Choose from a list of our template designs, or easily build your own. Templates are parametrized, so that you can further customize them via Javascript.

  3. Send email with our Javascript API Add our Javscript SDK, and start sending emails!

Here's what a typical call looks like:

var service_id = 'my_mandrill';
var template_id = 'feedback';
var template_params = {
  name: 'John',
  reply_email: '[email protected]',
  message: 'This is awesome!'
};

emailjs.send(service_id,template_id,template_params);

All existing APIs require using a secret key, which you obviously wouldn't want to share in your front-end code. Specified service overcome this by allowing sending only predefined templates, so for a "Share with a friend" feature you'd create a template called "share".

Orourke answered 8/8, 2017 at 8:52 Comment(1)
"From official resource" — The term "official" here seems to imply some kind of web standards authority. What you are doing here is using a third party service that will (in exchange for giving them the password to your SMTP server — and nothing else, so what is in it for them other than collecting email addresses and other marketing information about you and your visitors?) — send email if you make an Ajax request to them. This is really the same answer that Mark At Ramp51 gave, but recommending a third party service.Feebleminded
D
0

You can't do it purely through client side code.

You can do it with a server callback, AJAX.

Driveway answered 29/3, 2011 at 2:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.