Open
Bug 167047
Opened 23 years ago
Updated 2 years ago
image blocking does not support image redirection
Categories
(Core :: Graphics: Image Blocking, defect, P2)
Core
Graphics: Image Blocking
Tracking
()
NEW
People
(Reporter: bugzilla, Unassigned)
References
()
Details
image blocking doesn not block image when the images are bing served via 302
moved http command.
to reproduce:
1. go to http://hilsted.dk/pics/bornholm/pic01.jpg
2. block all image from this server
3. now go to http://gemal.dk/test/image.html
the image.html contains a img tag that point to a image.cgi script that does a
"302 Temporary Moved" and then redirects to
http://hilsted.dk/pics/bornholm/pic01.jpg
the image http://hilsted.dk/pics/bornholm/pic01.jpg should have been blocked by
it isn't.
|
Reporter | |
Comment 1•23 years ago
|
||
btw: if you on http://gemal.dk/test/image.html right click on the image and
select "block images from this server" you're actually blocking images from
"gemal.dk" and not "hilsted.dk" from which the image actually came!
OS: Windows 2000 → All
Hardware: PC → All
|
||
Comment 2•23 years ago
|
||
There is also another aspect of this bug, namely the other way round. I observed
(I think it was on some Lycos site) that images are given by a script which also
redirects, but to a "good server". The scripts were on a "bad server". I was not
able to block those bad scripts appearing in the src attribute of the img element.
pi
|
||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.2beta
|
|
||
Comment 4•22 years ago
|
||
This bug makes image blocking useless in many cases. Requesting blocking for 1.3b.
pi
Flags: blocking1.3b?
|
||
Updated•22 years ago
|
Flags: blocking1.3b? → blocking1.3b-
|
||
Comment 5•22 years ago
|
||
Reassigning Image Manager bugs to mstoltz and clearing milestone.
Assignee: morse → mstoltz
Group: security
Status: ASSIGNED → NEW
Target Milestone: mozilla1.2beta → ---
|
|
||
Comment 6•22 years ago
|
||
This bug was accidentally marked security-sensitive yesterday. Removing
security-sensitive status now.
Group: security
*** Bug 193099 has been marked as a duplicate of this bug. ***
IMHO important addition from bug 193099 is that redirection also breaks
"Accept images from the originating server only" feature
|
|
||
Comment 9•22 years ago
|
||
Unfortunately, there are lots of ways to bypass the "originating server only"
feature, and most of them are completely server-side; there's nothing we can do
about them. It may be that factoring in redirects is similarly futile, but I'm
not sure, so I won't mark this wontfix out of hand. I'm putting it to Future,
since no one here has time to work on it soon. If anyone really wants this
addressed sooner, please reassign the bug to someone who can work on it.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
|
|
||
Comment 10•22 years ago
|
||
When exactly is the check against the image manager performed?
pi
Summary: image blocking dont support image redirection → image blocking does not support image redirection
|
|
||
Updated•22 years ago
|
Target Milestone: Future → ---
|
||
Updated•18 years ago
|
Assignee: security-bugs → nobody
Status: ASSIGNED → NEW
|
||
Updated•16 years ago
|
QA Contact: nobody → image-blocking
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•