Closed Bug 366782 Opened 18 years ago Closed 18 years ago

IMG tags in NNTP posts cannot be blocked

Categories

(Thunderbird :: Mail Window Front End, enhancement)

Product:
Thunderbird
Component:
Mail Window Front End
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 272984

People

(Reporter: n6aoz, Assigned: mscott)

References

(
URL
)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9
Build Identifier: version 1.5.0.9 (20061207)

An NNTP article includes an <IMG src="http://badsite/....jpg">.
Thunderbird does not block the image (even though "Privacy/General/Block loading of remote images in mail messages" is checked).
I assume thunderbird sent an HTTP request to badsite, and badsite now has (at a minimum) my IP address.
This is a privacy/security problem.  The 'Block loading of remote images' preference should also apply to NNTP.

Reproducible: Didn't try

Steps to Reproduce:
I dont have access to a webserver to emulate the badsite.  But try this:
1.Set the 'Block loading of remote images...' checkbox.
2.Create an NNTP article with an imbedded <IMG src=http://yourserver/...jpg> tag.
3.In thunderbird, read the article.

Actual Results:  
I see the image.

Expected Results:  
The yellow 'thunderbird has blocked images' message should appear.

I have not tested this for RSS.  I expect a similar problem.
This is a legit enhancement request so confirming, but this may be an explicit decision for news (I'm not a mail guy).

In the meantime, for your own protection you can use the View menu to show message bodies as "Simple HTML" which will strip out all images regardless. Or even use "plain text" which is really what news should be anyway. Unfortunately the view setting is global, would be nice if it were per account.
Group: security
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
(In reply to comment #1)
> you can use the View menu to show
> message bodies as "Simple HTML" which will strip out all images regardless. 

No, it doesn't, not by default.  You can tweak to cause this behavior, however, by adjusting the pref
  mailnews.display.html_sanitizer.allowed_tags
to either remove the "img(...)" part entirely, or remove the 'src' from the parenthesized list.


> Unfortunately the view setting is global, would be nice if it were per
> account.

Per-folder:  bug 233109
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.