fix(mail): avoid remote avatars in MCP embeds

[steve8708]

Summary

• fall back to account initials instead of Google-hosted avatar images when Mail is rendered as an MCP embed
• suppress other external image fetches in Mail MCP embeds: Inbox Zero Unsplash art, email-body remote images, and Apollo contact/company images
• keep remote avatars and email images available for normal Mail sessions, with existing user controls and fallbacks
• avoids COEP/CORP console noise in ticketed MCP iframe renders without relaxing embed security headers

Verification

• pnpm --filter mail typecheck
• pnpm --filter mail exec vitest --run app/lib/mcp-embed.spec.ts actions/manage-draft.spec.ts app/components/email/mcp-compose-prompts.spec.ts app/pages/inbox-navigation.spec.ts
• pnpm --filter mail build
• pnpm prep
• production MCP embed smoke before fix reproduced Mail render with COEP-blocked googleusercontent avatar

[steve8708]

Addressed the Builder review finding in the latest head. block-all now runs the image policy over both sanitized email head and body fragments, strips remote CSS url(...) references and @import from inline styles / style tags, and removes legacy remote background / poster resource attributes while preserving inline data:image/* and cid: images. I also moved the policy into app/lib/email-image-policy.ts and added focused regression coverage in app/lib/email-image-policy.spec.ts. Verification: focused Mail vitest suite, pnpm --filter mail typecheck, pnpm --filter mail build, and full pnpm prep are green locally.

[steve8708]

Addressed the second Builder review finding in eae0c96. block-all now removes link[href] elements from sanitized email head/body fragments before rendering, which closes the remote stylesheet/preload/font fetch path in MCP embeds. Added a regression test covering remote link href removal. Verification after the change: focused Mail vitest suite, pnpm --filter mail typecheck, pnpm --filter mail build, and full pnpm prep are green locally.

[steve8708]

Addressed the latest Builder review findings in b4f9d90. block-all now removes remote SVG fetch attributes (image/feImage/use href and xlink:href) and preserves safe same-document CSS fragment references while still stripping remote CSS resources. Added focused regression tests for both cases. Local verification is green: focused Mail vitest suite, pnpm --filter mail typecheck, pnpm --filter mail build, and full pnpm prep.

[builder-io-integration]

Builder reviewed your changes and found 1 potential issue 🟡

Review Details

Code Review Summary — Complete PR #883

This PR successfully addresses the four previously-flagged issues and implements comprehensive image blocking for MCP embeds. All four earlier concerns have been resolved through targeted fixes.

Changes:

• Extracted image-blocking logic into dedicated email-image-policy.ts with comprehensive block-all mode
• Added MCP embed detection (isMcpEmbedSurface()) to force stricter policies in embedded contexts
• Fixed SVG resource element filtering for <image>, <feImage>, <use> with href/xlink:href
• Fixed CSS fragment URL preservation to protect inline SVG references like url(#clipPath)
• Fixed <link> element filtering to block stylesheet fetches in block-all mode
• Added 14 comprehensive tests covering all scenarios

Previously-flagged issues (all resolved):

• ✅ CSS background images blocking
• ✅ Missing <link> filtering
• ✅ Remote SVG attributes bypass
• ✅ CSS fragment URLs broken

Risk: Standard

---

🟡 NEW FINDING (1 MEDIUM issue):

🟡 MEDIUM: Integration gap — SVG cid: fallbacks stripped by earlier sanitization

The new processHtmlImages() function correctly preserves cid: and fragment-only URLs on SVG resource elements. However, the upstream sanitizeEmailHtml() function (not modified in this PR) validates href/xlink:href attributes as link URLs, which reject cid:. Result: <image xlink:href="cid:logo"> gets stripped before processHtmlImages() sees it.

Evidence: The new test at line 86-105 passes because it calls processHtmlImages() directly, bypassing the sanitizer. The real rendering pipeline (EmailThread → sanitizeEmailHtml → processHtmlImages) would fail.

Impact: SVG elements with cid: fallbacks will render without their local resources, even though the fallback should survive per the design.

Fix: Either (a) update sanitizeEmailHtml() to treat SVG resource href/xlink:href as image URLs instead of link URLs, or (b) add an integration test that exercises the full pipeline to catch this issue earlier.

---

Also noted: 1 LOW severity (double HTML parsing at lines 107-110 in email-image-policy.ts creates a parser that's never used, wasteful but not a correctness bug).

🧪 Browser testing: Skipped — PR modifies backend HTML processing logic only, no UI/visual changes.

[builder-io-integration]

🟡 SVG cid: fallbacks not preserved end-to-end in real rendering pipeline

The function correctly preserves cid: and fragment-only URLs on SVG elements. However, the real rendering pipeline sanitizes these attributes earlier: EmailThread.tsx's sanitizeEmailHtml() validates href/xlink:href as links, not images, so cid: URLs are rejected and removed before processHtmlImages() is called.

Why this matters: Test at line 86-105 passes because it calls processHtmlImages() directly. In production, <image xlink:href="cid:logo"> loses the fallback during sanitization, so the feature doesn't work end-to-end.

Fix: Add an integration test that exercises sanitizeEmailHtml() → processHtmlImages() pipeline, or coordinate with the sanitizer to allow cid: on SVG resource elements.

_{Or react with 🚀 to auto-fix.}