Prevent configurations which could be used to to be a spam e-mail relay
Background
It used to be possible to configure webform and contact module to send a copy to the sender; this allows spammers to enter the e-mail address of their target as the address of the sender, and send slightly confusing spam for people.
Proposed solution
Find / open issues in Webform and/or Contact module queues and make the default of these modules (possibly admin-overridable) to prevent any configuration which would send copies of e-mails where the initiator can control both a significant part of the content and what address gets a copy.
Related to https://gitlab.com/drutopia/drutopia-platform/issues/23 as this configuration would have to be locked down.
Remaining work
Edited by benjamin melançon