image blocking does not support image redirection

NEW
Unassigned

Status

()

defect
P2
normal
17 years ago
a year ago

People

(Reporter: bugzilla, Unassigned)

Tracking

Trunk
Points:
---
Bug Flags:
blocking1.3b -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

17 years ago
image blocking doesn not block image when the images are bing served via 302
moved http command.

to reproduce:
1. go to http://hilsted.dk/pics/bornholm/pic01.jpg
2. block all image from this server
3. now go to http://gemal.dk/test/image.html

the image.html contains a img tag that point to a image.cgi script that does a
"302 Temporary Moved" and then redirects to
http://hilsted.dk/pics/bornholm/pic01.jpg

the image http://hilsted.dk/pics/bornholm/pic01.jpg should have been blocked by
it isn't.
(Reporter)

Comment 1

17 years ago
btw: if you on http://gemal.dk/test/image.html right click on the image and
select "block images from this server" you're actually blocking images from
"gemal.dk" and not "hilsted.dk" from which the image actually came!
OS: Windows 2000 → All
Hardware: PC → All
There is also another aspect of this bug, namely the other way round. I observed
(I think it was on some Lycos site) that images are given by a script which also
redirects, but to a "good server". The scripts were on a "bad server". I was not
able to block those bad scripts appearing in the src attribute of the img element.

pi

Updated

17 years ago
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.2beta

Comment 3

17 years ago
BTW bug 69486 noticed also problems with blocking redirected images.
This bug makes image blocking useless in many cases. Requesting blocking for 1.3b.

pi
Flags: blocking1.3b?

Updated

17 years ago
Flags: blocking1.3b? → blocking1.3b-
Reassigning Image Manager bugs to mstoltz and clearing milestone.
Assignee: morse → mstoltz
Group: security
Status: ASSIGNED → NEW
Target Milestone: mozilla1.2beta → ---
This bug was accidentally marked security-sensitive yesterday. Removing
security-sensitive status now.
Group: security

Comment 7

16 years ago
*** Bug 193099 has been marked as a duplicate of this bug. ***

Comment 8

16 years ago
IMHO important addition from bug 193099 is that redirection also breaks
"Accept images from the originating server only" feature
Unfortunately, there are lots of ways to bypass the "originating server only"
feature, and most of them are completely server-side; there's nothing we can do
about them. It may be that factoring in redirects is similarly futile, but I'm
not sure, so I won't mark this wontfix out of hand. I'm putting it to Future,
since no one here has time to work on it soon. If anyone really wants this
addressed sooner, please reassign the bug to someone who can work on it.
Status: NEW → ASSIGNED
Target Milestone: --- → Future

Updated

16 years ago
QA Contact: tever → nobody
When exactly is the check against the image manager performed?

pi
Summary: image blocking dont support image redirection → image blocking does not support image redirection
Target Milestone: Future → ---
Assignee: security-bugs → nobody
Status: ASSIGNED → NEW
QA Contact: nobody → image-blocking

Comment 11

a year ago
Este hilo todavía esta activo?

Comment 12

a year ago
(In reply to Karen  Snider from comment #11)
> Este hilo todavía esta activo?

testing

Comment 13

a year ago
Esto es una prueba http://freeadultcamsonline.com
You need to log in before you can comment on or make changes to this bug.