[mschuster91]

The solution is very simple actually: place user-generated content like emails inside an iframe, after stripping out the JS. Add a CSP header disallowing external resource loads until the user confirms explicitly.

This way, content using position:absolute can't escape the iframe borders, and the mail gets to enjoy full responsiveness.

[packetslave]

a gentle hint: if you find yourself writing "the solution is very simple" and you're talking about something at the scale of gmail (or Firefox, or AWS, or Linux, or...), you can probably be assured there are a few things you haven't considered.

[jcranmer]

iframes require explicit sizing, it's hard to adapt the size of an iframe to the size of its contents. Gmail, for example, doesn't use iframes to display message contents.

There is a request to HTML to let iframes take the height of their contents (the main thing anyone wanted from <iframe seamless>, which is now removed from HTML), but it's gone nowhere as of yet.