Closed
Bug 39972
Opened 24 years ago
Closed 21 years ago
Images written via Javascript are loaded even if not from the originating server
Categories
(Core :: Graphics: Image Blocking, enhancement, P4)
Tracking
()
RESOLVED
WORKSFORME
Future
People
(Reporter: fosterd, Assigned: security-bugs)
References
Details
Attachments
(1 file)
404 bytes,
text/html
|
Details |
I have my image preferences set to only load images on the same server as the page. However, if an IMG tag is written via document.write in Javascript, Mozilla loads the image even if it is on another server. You can see an example of this at http://freshmeat.net/. I am using 052008.
Comment 1•24 years ago
|
||
updating component and owner.
Assignee: asadotzler → morse
Status: UNCONFIRMED → NEW
Component: Browser-General → XPApps
Ever confirmed: true
Comment 2•24 years ago
|
||
Good catch -- I didn't think about that case. I'll put it on my enhancement list.
Status: NEW → ASSIGNED
Target Milestone: --- → M20
Comment 3•24 years ago
|
||
Sorry for the spam. New QA Contact for Browser General. Thanks for your help Joseph (good luck with the new job) and welcome aboard Doron Rosenberg
QA Contact: jelwell → doronr
Updated•24 years ago
|
Severity: normal → enhancement
Target Milestone: M20 → M30
Comment 6•24 years ago
|
||
h'm, i'm not the qa person for the image stuff...over to Eli. should this remain in xp apps, or is there a more appropriate component? thx.
QA Contact: sairuh → elig
Comment 7•24 years ago
|
||
I so totally don't know what component this belongs in. I defer to Steve Morse, who appears to be keeping the bug.
Updated•24 years ago
|
Summary: Images written via Javascript are loaded even if not from the originating server → [z]Images written via Javascript are loaded even if not from the originating server
Reporter | ||
Comment 8•24 years ago
|
||
Sorry for my ignorance, but what's this [z] thing mean?
Updated•24 years ago
|
Summary: [z]Images written via Javascript are loaded even if not from the originating server → Images written via Javascript are loaded even if not from the originating server
Whiteboard: [z]
Updated•24 years ago
|
QA Contact: elig → sairuh
Updated•24 years ago
|
QA Contact: sairuh → tpreston
nav triage team: We should look into this one. Marking nsbeta1, p4, mozilla0.9
Comment 10•24 years ago
|
||
After consulting with Steve Morse, since we've minused other image manager bugs, no sense making this the odd man out. Marking this nsbeta1-
Updated•24 years ago
|
Whiteboard: [z]
Reassigning to new owner
Assignee: morse → mstoltz
Status: ASSIGNED → NEW
Component: XP Apps → Image Blocking
QA Contact: tpreston → tever
Comment 12•21 years ago
|
||
There also seems to be a problem (in 1.3a, anyway) with Javascript being able to load an image even if the image's server is on the Image Manager block list. Yahoo Mail presented an ad to me today with the following code in it, perhaps explicitly trying to exploit this weakness: <script language="javascript" src=" http://z1.adserver.com/snip"></script> <noscript><a href="http://rd.yahoo.com/M=snip*http://z1.adserver.com/snip" target="_blank"> <img width=728 height=90 src="http://z1.adserver.com/snip" border=0></a></noscript> FWIW, the snips after z1.adserver.com were virtually (but not completely) identical. When the image is served via Javascript, the right-mouse button isn't available to try to add the server to the block list, either. HTH, Dave
Comment 13•21 years ago
|
||
Is this still a problem? Could someone post a complete testcase showing the bug?
Comment 14•21 years ago
|
||
*** Bug 188942 has been marked as a duplicate of this bug. ***
Comment 15•21 years ago
|
||
looks fixed to me.
Comment 16•21 years ago
|
||
worksforme too. Marking so, but please reopen with testcase if the problem still exists...
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•