Open Bug 1896544 Opened 7 months ago Updated 3 months ago

Enforce `about:config`'s `permissions.default.image=2`

Categories

(Fenix :: Browser Engine, enhancement)

Product:
Fenix
Component:
Browser Engine
Version:
Firefox 125
Platform:
All
Android
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: 2002luvabbaluvu, Unassigned)

References

Details

(Whiteboard: [fxdroid][group1])

User Agent: Mozilla/5.0 (Android 14; Mobile; rv:125.0) Gecko/125.0 Firefox/125.0

Steps to reproduce:

Goto about:config
Put "default.images"=2
Tested on the most new versions of Firefox and Firefox Beta, both from Google Play Store.
Had to use a workaround on Firefox just to set this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1813163

Actual results:

Social media was always full of actual warfare, waged through infected images,
but now almost the entire Internet is.
Even Google (or one of its developers) has gone missing and is now showing infected images on the results pages at https://google.com/ with "default.images"=2

Expected results:

Should block this for us.
Instead, must ditch Firefox and switch to a text browser such as eLinks or Lynx.

Summary: All images are infected, and as the number of school shootings/missing persons increases, more websites do not follow "default.images=2" (which was required to protect us) → Most online images are infected, and as the number of school shootings/missing persons increases, more websites do not follow "default.images=2" (which was required to protect us)
Summary: Most online images are infected, and as the number of school shootings/missing persons increases, more websites do not follow "default.images=2" (which was required to protect us) → Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "default.images=2" (the setting required to protect us)
Summary: Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "default.images=2" (the setting required to protect us) → Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "default.images=2" (which was the last setting which could secure us)
Summary: Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "default.images=2" (which was the last setting which could secure us) → Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "permissions.default.images=2" (which was the last setting which could secure us)

Even Google (or one of its developers) has gone missing and is now showing infected images on the results pages at https://google.com/ with "default.images"=2

The first page of image result from google is encoded as a data uri image.

See Also: → 331257
Summary: Most online images are infected, and as the number of school shootings/missing persons increases, more websites have begun to evade "permissions.default.images=2" (which was the last setting which could secure us) → Data uri images are not blocked when "permissions.default.images=2"

The severity field is not set for this bug.
:boek, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jboek)

This defect is a major security threat. Almost every website is broadcasting infected images, even with "permissions.default.images=2" (which was the only method to disable images on Firefox.) + "Website Permissions > Autoplay > Block audio and video".
Even Amazon has infected images/videos which are bypassing this: https://www.amazon.com/Bingfu-External-Antenna-Verizon-T-Mobile/dp/B07BQ44CW1
It appears that the only choice left to secure us is to uninstall Firefox and switch to a text browser (such as Elinks or Lynx.)

The first result for +"about:config" disable URI images
is https://support.mozilla.org/en-US/questions/1226175 which says

You can disable images on the   about:config  page :

Type   about:config   in the address bar and press Enter  (accept the risk,  if asked)
Type in the search bar :   permissions.default.image
and set its value to    2

which does not make it stop
+

If you want to disable the loading of images per site :
Click on the Page Info icon  (little  i   in a circle at the left end of the address bar)  -   click on the little black arrow,  then on  'More Information'.
Under the  Permissions tab,  scroll down to  'Load images'

which also does not make it stop

Correction: Permissions tab, scroll down to 'Load images' flat out does not exist

Severity: -- → N/A
Type: defect → enhancement
Component: General → Browser Engine
Flags: needinfo?(jboek)
Summary: Data uri images are not blocked when "permissions.default.images=2" → Add ability to prevent images from loading
Whiteboard: [fxdroid][group1]

(In reply to 2002luvabbaluvu from comment #10)

For those with epilepsy it is a major health concern to not have an option to disable images, such as "permissions.default.image=2".
"permissions.default.image=2" was a fix, but lots of websites (such as https://google.com/) are now bypassing this.
Lots of other websites are bypassing this to force infected ads to show up.
Unless there is a fix, must suggest epilepsy victims to switch to text browsers.

https://bugzilla.mozilla.org/show_bug.cgi?id=1913360 shows how to switch from Google to Yahoo.
Yahoo is the last engine which continues to follow permissions.default.images=2

Summary: Add ability to prevent images from loading → Enforce `about:config`'s `permissions.default.image=2`

Possible fix; about:config's javascript.enabled=false

You need to log in before you can comment on or make changes to this bug.