Summary

• Detects remote http(s) references in HTML preview (<img src>, <* background>, srcset, poster, CSS url()).
• When detected, shows an amber banner above the iframe: "Remote images blocked. Senders may track when this email is opened." with a Load images button.
• Click widens the iframe CSP img-src directive to ${origin} data: http: https: for that message only. All other CSP directives stay strict (scripts, fonts, frames, objects, forms remain blocked).
• State is local to MessageDetail and resets on message change — switching away and back re-shows the banner. No localStorage, no global setting, no backend change.
• Pattern matches Gmail / Thunderbird / Apple Mail.

Closes #29.

Files

• ui/src/components/MessageDetail.tsx — cspMeta(allowRemoteImages), hasRemoteImages(), banner + reactive memos in HtmlPreview.
• .gitignore — ignore .playwright-mcp/ (local browser test dumps).

Test plan

• Email with no remote images → no banner, current behavior unchanged.
• Email with <img src="https://..."> → banner shown, image blocked, CSP strict.
• Click Load images → banner disappears, image loads, CSP widened only on img-src.
• Switch to another message and back → banner reappears (state not persisted).
• Detector covers <td background>, <img srcset>, CSS url(http...), <video poster>.
• pnpm tsc --noEmit clean.
• pnpm exec prettier --check clean.
• pnpm build clean (60.4 KB JS / 32.9 KB CSS gzipped).
• cargo clippy --all-targets -- -D warnings clean.
• cargo test --workspace passes.