external image loading on Tutanota
update: fix has been released that restores reliable image blocking functionality
2023.05.05, update: fix released with version 3.112.9, available on desktop but still not available for iOS/iPadOS from Apple's App Store.
Tutanota, by Tutao GmbH, is an email service with an excellent reputation. By default, Tutanota's apps block external images from loading when viewing an email. Blocking external images is helpful behaviour that protects from certain forms of tracking. Explicit action is required to allow external images to load.
There seems to be new unintentional behaviour, likely caused by a regression.
Images that are blocked from loading while viewing an email are displayed when the user attempts to reply to that email.
When a user replies to an email which contains external content, Tutanota's client makes a network request for the external resource, without the explicit user action that is typically required, even if the user has not previously whitelisted images from that email sender.
It is possible to block this network request using network filters, such as those that make use of the Network Extension on MacOS. Little Snitch and LuLu are examples of such filters/firewalls.
The issue exists on Tutanota's clients for desktop and mobile (v3.112.6). On desktop, I confirmed the actual network request is made. On mobile, I've only seen the outcome, in that the external image is loaded without the user allowing it. Since the all Tutanota clients rely on the same codebase, I'm confident that this behaviour is cross-platform.