Closed
Bug 366782
Opened 18 years ago
Closed 18 years ago
IMG tags in NNTP posts cannot be blocked
Categories
(Thunderbird :: Mail Window Front End, enhancement)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 272984
People
(Reporter: n6aoz, Assigned: mscott)
References
()
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9 Build Identifier: version 1.5.0.9 (20061207) An NNTP article includes an <IMG src="http://badsite/....jpg">. Thunderbird does not block the image (even though "Privacy/General/Block loading of remote images in mail messages" is checked). I assume thunderbird sent an HTTP request to badsite, and badsite now has (at a minimum) my IP address. This is a privacy/security problem. The 'Block loading of remote images' preference should also apply to NNTP. Reproducible: Didn't try Steps to Reproduce: I dont have access to a webserver to emulate the badsite. But try this: 1.Set the 'Block loading of remote images...' checkbox. 2.Create an NNTP article with an imbedded <IMG src=http://yourserver/...jpg> tag. 3.In thunderbird, read the article. Actual Results: I see the image. Expected Results: The yellow 'thunderbird has blocked images' message should appear. I have not tested this for RSS. I expect a similar problem.
Comment 1•18 years ago
|
||
This is a legit enhancement request so confirming, but this may be an explicit decision for news (I'm not a mail guy). In the meantime, for your own protection you can use the View menu to show message bodies as "Simple HTML" which will strip out all images regardless. Or even use "plain text" which is really what news should be anyway. Unfortunately the view setting is global, would be nice if it were per account.
Group: security
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Comment 2•18 years ago
|
||
(In reply to comment #1) > you can use the View menu to show > message bodies as "Simple HTML" which will strip out all images regardless. No, it doesn't, not by default. You can tweak to cause this behavior, however, by adjusting the pref mailnews.display.html_sanitizer.allowed_tags to either remove the "img(...)" part entirely, or remove the 'src' from the parenthesized list. > Unfortunately the view setting is global, would be nice if it were per > account. Per-folder: bug 233109
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•