texxasrulez/inline_previewer

Secure inline attachment previews for Roundcube message view

Maintainers

Package info

github.com/texxasrulez/inline_previewer

Type:roundcube-plugin

pkg:composer/texxasrulez/inline_previewer

Statistics

Installs: 1

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

0.0.1 2026-03-06 21:00 UTC

Requires

GPL-3.0 d80ffb7d8f6b1611be070b2a6aab85d3f21026e3

This package is auto-updated.

Last update: 2026-03-06 21:03:21 UTC

README

Packagist Downloads Packagist Version Github License GitHub Stars GitHub Issues GitHub Contributors GitHub Forks Donate Paypal

inline_previewer adds secure inline attachment previews in Roundcube message view.

Features

  • Inline attachment cards rendered below message view content.
  • Supported previews (strict whitelist): images, PDF, and optional audio/video.
  • Collapsed-by-default lazy previews with optional Preview all / Collapse all controls.
  • Consistent fallback cards for unsupported files (filename, size, MIME, Download button).
  • vCard attachments can be imported into address book directly from the card action.
  • Office/vCard card handlers support Open in new tab via safe openable-type allowlist.
  • Keeps existing Roundcube attachment download behavior intact.

Installation

  1. Copy plugins/inline_previewer into your Roundcube plugins/ directory.
  2. Copy plugins/inline_previewer/config.inc.php.dist to plugins/inline_previewer/config.inc.php.
  3. Add inline_previewer to $config['plugins'] in Roundcube main config.
  4. Clear Roundcube cache if needed.

Configuration

Main options in config.inc.php:

  • $config['inline_previewer_enabled']
  • $config['inline_previewer_disable_vcard_import_when_vcard_attach']
  • $config['inline_previewer_debug_log']
  • $config['inline_previewer_collapsed_by_default']
  • $config['inline_previewer_show_bulk_controls']
  • $config['inline_previewer_enable_media']
  • $config['inline_previewer_enable_text_preview']
  • $config['inline_previewer_enable_office_preview']
  • $config['inline_previewer_allow_svg']
  • $config['inline_previewer_max_preview_size']
  • $config['inline_previewer_allowed_mime_types']
  • $config['inline_previewer_allowed_extensions']
  • $config['inline_previewer_openable_mime_types']
  • $config['inline_previewer_openable_extensions']

Security Notes

  • HTML/XHTML attachments are never previewable by default whitelist.
  • MIME type and extension are both checked before enabling preview.
  • Preview size is capped (inline_previewer_max_preview_size).
  • Preview responses are served through Roundcube's authenticated attachment action (_action=get) only.
  • Preview requests apply stricter headers via message_part_get:
    • Content-Security-Policy
    • X-Content-Type-Options: nosniff
    • Referrer-Policy: no-referrer
  • No remote URL fetching is used; previews only target current message attachments.
  • Optional compatibility guard disables plugin vCard import when vcard_attach is active.

Hook Usage

  • message_load: reads message attachments and computes per-file preview eligibility.
  • render_page: injects plugin CSS/JS and attachment metadata into the message page.
  • message_part_get: enforces safe inline headers and keeps non-whitelisted requests as download.

Manual Test Plan

  1. Open a message with JPG/PNG/PDF attachments and verify each card shows Preview + Download + Open in new tab.
  2. Expand previews and confirm lazy-load behavior (content loads only after opening).
  3. Attach a file larger than configured max size and verify Too large to preview appears.
  4. Attach unsupported types (.html, .js, .zip) and verify no inline preview is offered.
  5. Enable media config and verify MP3/MP4 preview works; disable and verify it is blocked.
  6. Confirm direct Download links still work for all attachment types.
  7. Inspect preview response headers in browser devtools and verify CSP + nosniff are present.
  8. Test with vcard_attach enabled and verify inline_previewer Import button is hidden/disabled by config default.
  9. Enable inline_previewer_debug_log and confirm failures write [inline_previewer] entries in Roundcube error log.

Changelog

0.0.1

  • Added compatibility guard for vcard_attach overlap on vCard import.
  • Added optional debug logging for preview/import failure paths.
  • Added additional preview support for text and office file types.