chatmail · iequidoo · Nov 14, 2025 · Oct 26, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/src/chat/chat_tests.rs b/src/chat/chat_tests.rs
@@ -2632,12 +2632,6 @@ async fn test_can_send_group() -> Result<()> {
 /// the recipients can't see the identity of their fellow recipients.
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
-    fn contains(parsed: &MimeMessage, s: &str) -> bool {
-        assert_eq!(parsed.decrypting_failed, false);
-        let decoded_str = std::str::from_utf8(&parsed.decoded_data).unwrap();
-        decoded_str.contains(s)
-    }
-
     let mut tcm = TestContextManager::new();
     let alice = &tcm.alice().await;
     let bob = &tcm.bob().await;
@@ -2669,8 +2663,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         );
         let parsed = charlie.parse_msg(&auth_required).await;
         assert!(parsed.get_header(HeaderDef::AutocryptGossip).is_some());
-        assert!(contains(&parsed, "[email protected]"));
-        assert_eq!(contains(&parsed, "[email protected]"), false);
+        assert!(parsed.decoded_data_contains("[email protected]"));
+        assert_eq!(parsed.decoded_data_contains("[email protected]"), false);
 
         let parsed_by_bob = bob.parse_msg(&auth_required).await;
         assert!(parsed_by_bob.decrypting_failed);
@@ -2698,8 +2692,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         );
         let parsed = charlie.parse_msg(&member_added).await;
         assert!(parsed.get_header(HeaderDef::AutocryptGossip).is_some());
-        assert!(contains(&parsed, "[email protected]"));
-        assert_eq!(contains(&parsed, "[email protected]"), false);
+        assert!(parsed.decoded_data_contains("[email protected]"));
+        assert_eq!(parsed.decoded_data_contains("[email protected]"), false);
 
         let parsed_by_bob = bob.parse_msg(&member_added).await;
         assert!(parsed_by_bob.decrypting_failed);
@@ -2713,8 +2707,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         let hi_msg = alice.send_text(alice_broadcast_id, "hi").await;
         let parsed = charlie.parse_msg(&hi_msg).await;
         assert_eq!(parsed.header_exists(HeaderDef::AutocryptGossip), false);
-        assert_eq!(contains(&parsed, "[email protected]"), false);
-        assert_eq!(contains(&parsed, "[email protected]"), false);
+        assert_eq!(parsed.decoded_data_contains("[email protected]"), false);
+        assert_eq!(parsed.decoded_data_contains("[email protected]"), false);
 
         let parsed_by_bob = bob.parse_msg(&hi_msg).await;
         assert_eq!(parsed_by_bob.decrypting_failed, false);
@@ -2730,8 +2724,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
             "[email protected] [email protected]"
         );
         let parsed = charlie.parse_msg(&member_removed).await;
-        assert!(contains(&parsed, "[email protected]"));
-        assert_eq!(contains(&parsed, "[email protected]"), false);
+        assert!(parsed.decoded_data_contains("[email protected]"));
+        assert_eq!(parsed.decoded_data_contains("[email protected]"), false);
 
         let parsed_by_bob = bob.parse_msg(&member_removed).await;
         assert!(parsed_by_bob.decrypting_failed);

diff --git a/src/config.rs b/src/config.rs
@@ -438,8 +438,19 @@ pub enum Config {
     /// storing the same token multiple times on the server.
     EncryptedDeviceToken,
 
+    /// Enables running test hooks, e.g. see `InnerContext::pre_encrypt_mime_hook`.
+    /// This way is better than conditional compilation, i.e. `#[cfg(test)]`, because tests not
+    /// using this still run unmodified code.
+    TestHooks,
+
     /// Return an error from `receive_imf_inner()` for a fully downloaded message. For tests.
     FailOnReceivingFullMsg,
+
+    /// Enable composing emails with Header Protection as defined in
+    /// <https://www.rfc-editor.org/rfc/rfc9788.html> "Header Protection for Cryptographically
+    /// Protected Email".
+    #[strum(props(default = "1"))]
+    StdHeaderProtectionComposing,
 }
 
 impl Config {

diff --git a/src/context.rs b/src/context.rs
@@ -303,6 +303,17 @@ pub struct InnerContext {
     /// `Connectivity` values for mailboxes, unordered. Used to compute the aggregate connectivity,
     /// see [`Context::get_connectivity()`].
     pub(crate) connectivities: parking_lot::Mutex<Vec<ConnectivityStore>>,
+
+    #[expect(clippy::type_complexity)]
+    /// Transforms the root of the cryptographic payload before encryption.
+    pub(crate) pre_encrypt_mime_hook: parking_lot::Mutex<
+        Option<
+            for<'a> fn(
+                &Context,
+                mail_builder::mime::MimePart<'a>,
+            ) -> mail_builder::mime::MimePart<'a>,
+        >,
+    >,
 }
 
 /// The state of ongoing process.
@@ -467,6 +478,7 @@ impl Context {
             iroh: Arc::new(RwLock::new(None)),
             self_fingerprint: OnceLock::new(),
             connectivities: parking_lot::Mutex::new(Vec::new()),
+            pre_encrypt_mime_hook: None.into(),
         };
 
         let ctx = Context {
@@ -1051,13 +1063,27 @@ impl Context {
                 .await?
                 .to_string(),
         );
+        res.insert(
+            "test_hooks",
+            self.sql
+                .get_raw_config("test_hooks")
+                .await?
+                .unwrap_or_default(),
+        );
         res.insert(
             "fail_on_receiving_full_msg",
             self.sql
                 .get_raw_config("fail_on_receiving_full_msg")
                 .await?
                 .unwrap_or_default(),
         );
+        res.insert(
+            "std_header_protection_composing",
+            self.sql
+                .get_raw_config("std_header_protection_composing")
+                .await?
+                .unwrap_or_default(),
+        );
 
         let elapsed = time_elapsed(&self.creation_time);
         res.insert("uptime", duration_to_str(elapsed));

diff --git a/src/dehtml.rs b/src/dehtml.rs
@@ -13,6 +13,7 @@ use quick_xml::{
 
 use crate::simplify::{SimplifiedText, simplify_quote};
 
+#[derive(Default)]
 struct Dehtml {
     strbuilder: String,
     quote: String,
@@ -25,6 +26,9 @@ struct Dehtml {
     /// Everything between `<div name="quote">` and `<div name="quoted-content">` is usually metadata
     /// If this is > `0`, then we are inside a `<div name="quoted-content">`.
     divs_since_quoted_content_div: u32,
+    /// `<div class="header-protection-legacy-display">` elements should be omitted, see
+    /// <https://www.rfc-editor.org/rfc/rfc9788.html#section-4.5.3.3>.
+    divs_since_hp_legacy_display: u32,
     /// All-Inkl just puts the quote into `<blockquote> </blockquote>`. This count is
     /// increased at each `<blockquote>` and decreased at each `</blockquote>`.
     blockquotes_since_blockquote: u32,
@@ -48,20 +52,25 @@ impl Dehtml {
     }
 
     fn get_add_text(&self) -> AddText {
-        if self.divs_since_quote_div > 0 && self.divs_since_quoted_content_div == 0 {
-            AddText::No // Everything between `<div name="quoted">` and `<div name="quoted_content">` is metadata which we don't want
+        // Everything between `<div name="quoted">` and `<div name="quoted_content">` is
+        // metadata which we don't want.
+        if self.divs_since_quote_div > 0 && self.divs_since_quoted_content_div == 0
+            || self.divs_since_hp_legacy_display > 0
+        {
+            AddText::No
         } else {
             self.add_text
         }
     }
 }
 
-#[derive(Debug, PartialEq, Clone, Copy)]
+#[derive(Debug, Default, PartialEq, Clone, Copy)]
 enum AddText {
     /// Inside `<script>`, `<style>` and similar tags
     /// which contents should not be displayed.
     No,
 
+    #[default]
     YesRemoveLineEnds,
 
     /// Inside `<pre>`.
@@ -121,12 +130,7 @@ fn dehtml_quick_xml(buf: &str) -> (String, String) {
 
     let mut dehtml = Dehtml {
         strbuilder: String::with_capacity(buf.len()),
-        quote: String::new(),
-        add_text: AddText::YesRemoveLineEnds,
-        last_href: None,
-        divs_since_quote_div: 0,
-        divs_since_quoted_content_div: 0,
-        blockquotes_since_blockquote: 0,
+        ..Default::default()
     };
 
     let mut reader = quick_xml::Reader::from_str(buf);
@@ -244,6 +248,7 @@ fn dehtml_endtag_cb(event: &BytesEnd, dehtml: &mut Dehtml) {
         "div" => {
             pop_tag(&mut dehtml.divs_since_quote_div);
             pop_tag(&mut dehtml.divs_since_quoted_content_div);
+            pop_tag(&mut dehtml.divs_since_hp_legacy_display);
 
             *dehtml.get_buf() += "\n\n";
             dehtml.add_text = AddText::YesRemoveLineEnds;
@@ -295,6 +300,8 @@ fn dehtml_starttag_cb<B: std::io::BufRead>(
         "div" => {
             maybe_push_tag(event, reader, "quote", &mut dehtml.divs_since_quote_div);
             maybe_push_tag(event, reader, "quoted-content", &mut dehtml.divs_since_quoted_content_div);
+            maybe_push_tag(event, reader, "header-protection-legacy-display",
+                &mut dehtml.divs_since_hp_legacy_display);
 
             *dehtml.get_buf() += "\n\n";
             dehtml.add_text = AddText::YesRemoveLineEnds;
@@ -539,6 +546,27 @@ mod tests {
         assert_eq!(txt.text.trim(), "two\nlines");
     }
 
+    #[test]
+    fn test_hp_legacy_display() {
+        let input = r#"
+<html><head><title></title></head><body>
+<div class="header-protection-legacy-display">
+<pre>Subject: Dinner plans</pre>
+</div>
+<p>
+Let's meet at Rama's Roti Shop at 8pm and go to the park
+from there.
+</p>
+</body>
+</html>
+        "#;
+        let txt = dehtml(input).unwrap();
+        assert_eq!(
+            txt.text.trim(),
+            "Let's meet at Rama's Roti Shop at 8pm and go to the park from there."
+        );
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
     async fn test_quote_div() {
         let input = include_str!("../test-data/message/gmx-quote-body.eml");

diff --git a/src/headerdef.rs b/src/headerdef.rs
@@ -138,6 +138,9 @@ pub enum HeaderDef {
     /// Advertised gossip topic for one webxdc.
     IrohGossipTopic,
 
+    /// See <https://www.rfc-editor.org/rfc/rfc9788.html#name-hp-outer-header-field>.
+    HpOuter,
+
     #[cfg(test)]
     TestHeader,
 }

diff --git a/src/mimefactory.rs b/src/mimefactory.rs
@@ -1083,6 +1083,9 @@ impl MimeFactory {
             }
         }
 
+        let use_std_header_protection = context
+            .get_config_bool(Config::StdHeaderProtectionComposing)
+            .await?;
         let outer_message = if let Some(encryption_pubkeys) = self.encryption_pubkeys {
             // Store protected headers in the inner message.
             let message = protected_headers
@@ -1098,6 +1101,22 @@ impl MimeFactory {
                     message.header(header, value)
                 });
 
+            if use_std_header_protection {
+                message = unprotected_headers
+                    .iter()
+                    // Structural headers shouldn't be added as "HP-Outer". They are defined in
+                    // <https://www.rfc-editor.org/rfc/rfc9787.html#structural-header-fields>.
+                    .filter(|(name, _)| {
+                        !(name.eq_ignore_ascii_case("mime-version")
+                            || name.eq_ignore_ascii_case("content-type")
+                            || name.eq_ignore_ascii_case("content-transfer-encoding")
+                            || name.eq_ignore_ascii_case("content-disposition"))
+                    })
+                    .fold(message, |message, (name, value)| {
+                        message.header(format!("HP-Outer: {name}"), value.clone())
+                    });
+            }
+
             // Add gossip headers in chats with multiple recipients
             let multiple_recipients =
                 encryption_pubkeys.len() > 1 || context.get_config_bool(Config::BccSelf).await?;
@@ -1187,7 +1206,13 @@ impl MimeFactory {
             for (h, v) in &mut message.headers {
                 if h == "Content-Type" {
                     if let mail_builder::headers::HeaderType::ContentType(ct) = v {
-                        *ct = ct.clone().attribute("protected-headers", "v1");
+                        let mut ct_new = ct.clone();
+                        ct_new = ct_new.attribute("protected-headers", "v1");
+                        if use_std_header_protection {
+                            ct_new = ct_new.attribute("hp", "cipher");
+                        }
+                        *ct = ct_new;
+                        break;
                     }
                 }
             }
@@ -1232,6 +1257,12 @@ impl MimeFactory {
             // once new core versions are sufficiently deployed.
             let anonymous_recipients = false;
 
+            if context.get_config_bool(Config::TestHooks).await? {
+                if let Some(hook) = &*context.pre_encrypt_mime_hook.lock() {
+                    message = hook(context, message);
+                }
+            }
+
             let encrypted = if let Some(shared_secret) = shared_secret {
                 encrypt_helper
                     .encrypt_symmetrically(context, &shared_secret, message, compress)
@@ -1319,7 +1350,13 @@ impl MimeFactory {
                 for (h, v) in &mut message.headers {
                     if h == "Content-Type" {
                         if let mail_builder::headers::HeaderType::ContentType(ct) = v {
-                            *ct = ct.clone().attribute("protected-headers", "v1");
+                            let mut ct_new = ct.clone();
+                            ct_new = ct_new.attribute("protected-headers", "v1");
+                            if use_std_header_protection {
+                                ct_new = ct_new.attribute("hp", "clear");
+                            }
+                            *ct = ct_new;
+                            break;
                         }
                     }
                 }

diff --git a/src/mimefactory/mimefactory_tests.rs b/src/mimefactory/mimefactory_tests.rs
@@ -832,8 +832,32 @@ async fn test_protected_headers_directive() -> Result<()> {
             .count(),
         1
     );
-    assert_eq!(part.match_indices("Subject:").count(), 1);
+    assert_eq!(part.match_indices("Subject:").count(), 2);
+    assert_eq!(part.match_indices("HP-Outer: Subject:").count(), 1);
+    Ok(())
+}
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_hp_outer_headers() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let t = &tcm.alice().await;
+    let chat_id = t.get_self_chat().await.id;
+
+    for std_hp_composing in [false, true] {
+        t.set_config_bool(Config::StdHeaderProtectionComposing, std_hp_composing)
+            .await?;
+        chat::send_text_msg(t, chat_id, "hi!".to_string()).await?;
+        let sent_msg = t.pop_sent_msg().await;
+        let msg = MimeMessage::from_bytes(t, sent_msg.payload.as_bytes(), None).await?;
+        assert_eq!(msg.header_exists(HeaderDef::HpOuter), std_hp_composing);
+        for hdr in ["Date", "From", "Message-ID"] {
+            assert_eq!(
+                msg.decoded_data_contains(&format!("HP-Outer: {hdr}:")),
+                std_hp_composing,
+            );
+        }
+        assert!(!msg.decoded_data_contains("HP-Outer: Content-Type"));
+    }
     Ok(())
 }