229

Is JavaScript supported in an email message?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
senthil
  • 2,317
  • 2
  • 13
  • 3
  • 84
    This doesn't deserve a -1 – kikito Jun 16 '10 at 14:50
  • 4
    Is the target email program, Outlook? Thunderbird? GMail? Hotmail? All of the above? Others? Different email programs render mails differently. – WonderWorker Jul 20 '16 at 13:55
  • 2
    I have just see that rockettheme guys are doing a countdown so days hours minutes and seconds and the graphics are animating too...amazing what is possible now. Not sure how else they might be doing this. Observed in mac mail client. – landed Sep 07 '16 at 14:45
  • 3
    I found a domain and got this - http://motionmailapp.com/ – landed Sep 07 '16 at 14:52
  • 3
    @landed I just saw the same thing in an email from WordPress. Turns out it's simply a dynamically-generated GIF that starts the countdown from when it's fetched (and it resets after 45 seconds - I guess if you haven't clicked through within 45 seconds, you've probably already closed the email). – Lionel Rowe Mar 08 '19 at 08:11
  • @LionelRowe Now I'm wondering if you could do something with an infinitely-loading GIF, where every second you send the next frame to all currently connected clients... Hm. – Nic Jul 10 '19 at 21:16
  • I was surprised to receive a marketing email from Google today that used JavaScript elements. While the existing answers are correct, I think the mechanism in this email is worth noting: this email used [AMP Email](https://amp.dev/about/email/), which is a common platform (based on the AMP Project) that allows the use of *some* JavaScript functionality within emails. The platform aims to serve the core tenets of the AMP Project (primarily speed) while also preserving security, and is worth checking out if you wish to send rich emails. – Mike Hill Mar 30 '21 at 21:40

11 Answers11

74

http://en.wikipedia.org/wiki/Comparison_of_e-mail_clients

Old clients, such as Lotus Notes, Mozilla Thunderbird, Outlook Express, and Windows Live Mail all seem to have supported some sort of JavaScript execution. Nothing else does.

It seems like a bad idea security-wise, so I would expect this to be a feature that won't always be around, even in these clients.

MatthewMartin
  • 32,326
  • 33
  • 105
  • 164
  • 11
    "Lotus Notes, Mozilla Thunderbird, Outlook Express, and Windows Live Mail all seem to support some sort of JavaScript execution" — In message template scripts, not in received emails. – Quentin Feb 22 '16 at 15:18
  • 4
    Wow, these clients are now so old the links on how they used to behave are dying out, I can't confirm or deny any of it. Six years later, I'd be surprised if there is a single email client still in use that has any sort of script execution enabled on purpose. – MatthewMartin Feb 22 '16 at 16:30
  • 2
    @MatthewMartin Those 6 years have come. – boc Oct 14 '22 at 14:47
39

Short answer

No

Descriptive answer

It depends. But the email is not guaranteed to behave in the way you want it to. Different email clients handle JS differently. Most of the newer email clients do not support any of it since it is potentially very dangerous to support script execution in a desktop application which contains so much of your personal info.

I had a use case where I needed to use JS in an email. I tried out on the web client of outlook and desktop client as well, and it turns out outlook just wipes out the script part of your HTML email. There might be some other email client which does support JS execution, but given that you cannot control the client where your email would be viewed in the client machine, it's not a good idea to embed any scripts in the HTML email.

Its advised to keep your HTML email as simple as possible, no JS, and the least CSS you can do with (because, again, different email clients have varying support for CSS as well) eg: outlook's web client was not even recognizing an HTML button tag in the email. I had to use an anchor tag and some CSS on top of it to mimic the display of a button.

Bottom Line - Don't rely on Javascript when working with HTML email content.

Ketan R
  • 4,039
  • 1
  • 13
  • 15
  • What about web-based webmails like hotmail and gmail and protonmail ? Can they execute any sort of JS or did they have any other way to interact with you ? (like knowing when you open a mail with an image in the signature that is host to a server only for you and that record when someone try to access? ) (or other things i'm not aware of) – softyoda yoann Dec 23 '20 at 23:35
  • I haven't tested on these platforms but the web version of outlook was blocking all JS code for me. I suppose it is mainly to restrict the sender from interacting with the receiver in harmful ways. – Ketan R Dec 29 '20 at 05:52
  • @softyodayoann There's not a technical reason for webmail to disallow JavaScript in the emails, but it's a massive security risk, so there's a good business reason for them to disallow it. Of course, after they've remove any JS from the original email, they can add back in their own JS in order to track your interactions. – Charles Wood Mar 29 '21 at 18:47
  • 1
    At the same time, that makes emails so much less dynamic. There's a lot of value in sending apps via email. Or small embedded apps. We need a new email standard with built in security for running JS. – a5af Jul 14 '22 at 18:56
23

No, generally speaking email readers do not allow javascript.

jsight
  • 27,819
  • 25
  • 107
  • 140
  • 2
    how about gmail in chrome browser? – Nicolas S.Xu Jul 28 '17 at 00:35
  • 1
    @NicolasS.Xu Gmail removes the JavaScript from the mail before handing it to the browser. So JS does not work. I tested Gmail in Firefox 56 and Chrome 61. Also checked the code in webmaster tools, the JS code is removed. – Christopher K. Nov 06 '17 at 14:12
21

Other answerers have suggested that the answer is "No."

On the other hand, an html attachment will probably get opened in an environment that runs Javascript.

EDIT: It was suggested that I haven't properly answered the question so here goes a more complete effort.

Summary: I would expect that many or most users receiving an html-formatted email containing embedded Javascript will see it run and have run tests to confirm that this is true in some environments. But Javascript WILL be blocked for some users.

The protocols (specifically RFC2854) explicitly address scripting (within the text/html message body type) with the statement that:

In addition, the introduction of scripting languages and interactive capabilities in HTML 4.0 introduced a number of security risks associated with the automatic execution of programs written by the sender but interpreted by the recipient. User agents executing such scripts or programs must be extremely careful to insure that untrusted software is executed in a protected environment.

So the protocols do support Javascript, but which user agents do?

My (ancient) email reader uses a table to specify which viewer software to use for each mimetype, diverting html content to my favorite web browser. Almost all current web browsers support Javascript (and some issue dire warnings when you try to turn it off!) Do modern email agents include internal html interpreters and, if so, is the javascript turned on or off? I've checked documentation on Thunderbird and find that javascript seems to be turned on by default but can be turned off: http://codeverge.com/mozilla.support.thunderbird/simple-html-tags-reference-docume/2030160

I have noticed that some (?many?) users now access their email from a browser directly (webmail is one such platform) rather than running separate email software. All such platforms which I have tested so far do run any Javascript embedded in the html of the email message. However some such environments, depending on user security settings, do not automatically fetch external links (Javascript or pictures or other) and so can only run external Javascript from a file which is included as an attachment to the message. The same would be true of any offline email reader on a device without a current internet connection.

The above applies to javascript embedded in the main message part of the email body. One can also have html explicitly given as an "attachment", which if saved and then opened would be displayed in a web browser, wherein Javascript is available with very high likelyhood. Therefore, one might included a second copy of the javascript enabled email as an html attachement with an alternative text/plain main body and/or tag in the main text/html directing the user to the attachment.

I've been thinking about this because some of my acquaintances insist on sending me "email greeting cards" which consist of a text message directing me to a link which I've found so unsatisfactory that I refuse to even consider loading it just on principle. I have written and sent email greeting cards with interactive graphics and music and even games using embedded javascript and been satisfied with the result.

Therefore, I maintain that the correct answer is "Yes" both on the grounds that the protocols specifically address scripting and on the grounds that all the email agents I personally use ran the Javascript in my test emails.

Robert Morewood
  • 355
  • 2
  • 5
  • 3
    You don't give any concrete list of clients in which you tested JS successfully and with which JS code. I checked Thunderbird 52.4.0 with "Original HTML" setting, and it did ignore the JS `` in my test emails. Same for Outlook for Android 2.2.44, K-9 for Android 5.208, Gmail webmailer (tested 06.11.2017) and Roundcube webmailer 0.9.5. So I would agree to those saying it does not work in most (modern) clients. It is true that most users use webmailers, but for a good reason, these seem to strip JS out of the messages before handing them to the browser. – Christopher K. Nov 06 '17 at 13:59
  • 1
    As your link to the Thunderbird "documentation" is not documentation at all but refers to some user-contributed question, I searched for some official documentation and found this: https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3 - It says JS in emails got dropped in Thunderbird 3. – Christopher K. Nov 06 '17 at 14:08
  • This answer still works in gmail as of December 2022. However, in the desktop version of gmail in some browsers, the attachment must be saved and then opened (clicking it directly filters out the script). So it's best to include instructions for the user in plain text within the html (or else within the email). – personal_cloud Dec 23 '22 at 20:26
4

You aren't going to get executable JavaScript onto a server and into a mail client. But emails DO support links, you can always link to your content within an email.

Sam Becker
  • 19,231
  • 14
  • 60
  • 80
2

For most mail clients, no.

Mervyn
  • 1,003
  • 9
  • 12
2

No email client support javascript due to security concern

Try to send a mail with this HTML content

     <!DOCTYPE html>
     <html>
     <body>
     <button onclick="this.innerHTML=Date()">The time is?</button>
     </body>
     </html>
sumit kushwah
  • 54
  • 1
  • 5
1

It may be, but mail clients won't read it & mail servers may reject it. So leave it out.

Ed B
  • 6,028
  • 3
  • 26
  • 35
0

Javascript is not supported in emails.

Neil Knight
  • 47,437
  • 25
  • 129
  • 188
  • 3
    That is not true. At least Outlook and Outlook Express support Javascript, which is one of the many reasons to avoid them (for security reasons). – PauliL Jun 16 '10 at 16:24
  • 1
    @PauliL: That depends if your Restricted Sites zone settings allow it. – Neil Knight Jun 17 '10 at 07:30
0

You can view an email with JavaScript working with Windows Live Mail, but can't add JavaScript to a new email you wish to send. JavaScript also works with saved .eml files. Mozilla Thunderbird version 60.7.0 can't view or add JavaScript. (If you save an eml file with Thunderbird, the code will work if file is then loaded with Live Mail) You can send an email with JavaScript using PHP code. Some email websites may support it, but the few I used don't. (AOL, uk2.net, GMail)

Mark Antony Agius
  • 67
  • 1
  • 3
0

Short answer: No it is not supported in an email message

Long answer: I have tested it with two email readers. Outlook (online) and OE Classic. As OE Classic is very outdated (I use it on windows 7), it does support JavaScript and I tested it with an alert button. However, the newer Outlook does not even support buttons, which showed up as plain text. So to conclude JavaScript is only enabled on some, usually older, email readers but not on new ones such as Outlook.

Mr Chill
  • 1