X-Mozilla-External-Attachment-URL allows loading remote images even if disabled in privacy settings (in rss feeds)

RESOLVED WONTFIX

Status

Thunderbird
Security
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: Julian, Unassigned)

Tracking

38 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.125 Safari/537.36

Steps to reproduce:

- configure thunderbird to not allow remote content (tools > options > privacy > uncheck allow remote content)
- configure news & blog account to show article summary instead of loading the webpage (tools > account settings > news & blogs > check "by default, show the article summary instead of loading the web page)
- check display attachments inline (view > display attachments inline)
- subscribe the following feed: http://futurezone.at/rss.xml
- click on a downloaded feed message

```
From - Mon, 14 Mar 2016 19:22:43 +0100
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Received: by localhost; Tue, 15 Mar 2016 04:04:25 +0100
Date: Mon, 14 Mar 2016 19:22:43 +0100
Message-Id: <http://futurezone.at/produkte/western-digital-bringt-pidrive-mit-314gb-fuer-raspberry-pi/186.872.629@localhost.localdomain>
From: FUTUREZONE.at Redaktion
MIME-Version: 1.0
Subject: Western Digital bringt PiDrive mit 314GB für Raspberry Pi
Keywords: News,Produkte
Content-Transfer-Encoding: 8bit
Content-Base: http://futurezone.at/produkte/western-digital-bringt-pidrive-mit-314gb-fuer-raspberry-pi/186.872.629
Content-Type: multipart/mixed; boundary="------------704"

This is a multi-part message in MIME format.
--------------704
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <title>Western Digital bringt PiDrive mit 314GB für Raspberry Pi</title>
    <base href="http://futurezone.at/produkte/western-digital-bringt-pidrive-mit-314gb-fuer-raspberry-pi/186.872.629">
  </head>
  <body id="msgFeedSummaryBody" selected="false">
    Das PiDrive ist als Zubehör für den aktuellsten Raspberry Pi gedacht und wird um 34 Euro verkauft.
  </body>
</html>


--------------704
Content-Type: image/jpeg; name="186.872.591"; size=496690
X-Mozilla-External-Attachment-URL: http://images03.futurezone.at/pidrive.jpg/186.872.591
Content-Disposition: attachment; filename="186.872.591"

This MIME attachment is stored separately from the message.
--------------704--
```


Actual results:

in the preview pane the image is shown but the "attachment" is a remote image and not a attachment which is in the mail.



Expected results:

the regular warning "to protect your provacy, thunderbird has blocked remote content in this message" known from 
http://kb.mozillazine.org/Privacy_basics_%28Thunderbird%29 http://kb.mozillazine.org/images/Tbird_Remote_Images.png

Comment 2

2 years ago
The privacy options only apply to mail content, not feeds.
Summary: X-Mozilla-External-Attachment-URL allows loading remote images even if disabled in privacy settings → X-Mozilla-External-Attachment-URL allows loading remote images even if disabled in privacy settings (in rss feeds)
(Reporter)

Comment 3

2 years ago
@Magnus Melin: can't share your point of view. only because its a feed why privacy don't apply there? this is inconsistent. loading of web beacons for tracking can be used in emails and in feeds.

Comment 4

2 years ago
The difference is that you choose what you subscribe to, but not what emails you receive. There really isn't much of a web beacon issue as even if the image load it's not an image connected to your identity - it's just "someone" loading the image. This is also *vastly* different from a targeted email with tailored links.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.