Closed Bug 203940 Opened 23 years ago Closed 16 years ago

block more remote protocol types, when user block remote images in mail messages

Categories

(SeaMonkey :: MailNews: Message Display, defect)

Product:
SeaMonkey
Component:
MailNews: Message Display
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED EXPIRED

People

(Reporter: sspitzer, Unassigned)

References

Details

look at mozilla/extensions/cookie/nsImgManager.cpp the current code will allow <img src="gopher://"> images to be shown, assuming gopher doesn't require a username/password. (bug #51631? will deny any thing requiring a password prompt) alternatively, we could do this: // whitelist if (chrome, resource, file (for editor, msg compose), mail related) return; // everything else, black list else (http, https, ftp, gopher, etc) if ((a mail message) && (mBlock || ftp)) block
For that matter, what about file:// ? Are we relying on CheckLoadURI to prevent people sending mail that randomly opens up crap off your hard drive?
datapoint, we had a bug (back in 4.x?) where a message (or webpage?) would tell you: "hey, I hacked your computer, here's your autoexec.bat", and they did file://C|/autoexec.bat" so it wasn't real, but users were confused.
Status: NEW → ASSIGNED
just as a note here: bug 22994 has a fix for blocking cookies in mailnews. there are some holes in the algo that cookies used, so that fix will be landing for 1.4b. we may want to ponder porting this stuff into nsImgManager::ShouldLoad at some point.
Why not something more along the lines of: if ([exhaustive list of local protocols]) return early; else // not specifying any protocols here. Just saying if // it's not in our list of local protocols. if ((a mail message) && (mBlock || ftp)) block
Define "local protocols" given that Mozilla embeddors can add implementations of arbitrary protocols (eg data:, view-source:, about:, etc, etc).
But yes, I think we want to white-list here....
I think a simpler remedy might be to make it so that images loaded by any protocol are considered remote. That way only images that are actually physically attached to the message will be displayed. That is the behavior that I imagined was happening all the while anyway.
You seem to have a fundamental misunderstanding of how images that are attached to the mail work. They are also loaded via a protocol handler (imap:// or the like).
No need to get snippy. When you open a message from an IMAP folder, is the entire message body not downloaded at the same time? I was under the impression that it would be since attached images are part of the message body.
I would take it one step further. When I select "block remote pictures from mail", I expect it to NEVER issue HTTP requests to remote servers due to email borne HTML. This is an importnat privacy issue, as I don't want to be tracked for when I read my mail. I just got a spam that violated this expectation of mine. It contained the following snippet: <embed src="http://211.104.119.200/event/hp.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="600" height="150"></embed></OBJECT> The remote site was contacted, and the media was downloaded. This happened to me on the Debian/Sid version of 1.3. I would change "Platform" to "all", and severity to "critical". At least to me, this appears to be a security problem.
That is no image loaded with another protocol, that is a shockwave flash applet. (=that is not this bug)
My beef is with the very fact that remote media is fetched when I asked Mozilla not to. I could care less what that media is. As far as I'm concerned, this bug should be "block all remote protocol types, when user block remote images in mail messages". If you think opening a new bug for it is justified, I'll do it. I will then think that this bug is encapsulated in that one.
No, it shouldn't. This is a very specific bug about a specific part of the code. You are looking for bug 28327. You should not try to morph bugs.
another data point: a way around the "block remote images" is to use news. (you might not have gopher, but the mozilla suite has news). like <img src="news://host:port/messageid?part=1.2&filename=foo.jpeg"> that will work today. I'm a behind in reading all the comments, but I'm sure once I do, I'll agree with bz's comment about whitelisting.
scott has a content policy manager for tbird now, so he'll want this too.
What are the protocols we should put in the whitelist? This is what i think: chrome, resource, mailbox, about and file. Anything missing in that list?
Product: Browser → Seamonkey
Assignee: sspitzer → mail
Status: ASSIGNED → NEW
Assignee: mail → nobody
QA Contact: esther → message-display
MASS-CHANGE: This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state. If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way. If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar). If no action happens within the next few months, we move this bug report to an EXPIRED state. Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
MASS-CHANGE: This bug report is registered in the SeaMonkey product, but still has no comment since the inception of the SeaMonkey project 5 years ago. Because of this, we're resolving the bug as EXPIRED. If you still can reproduce the bug on SeaMonkey 2 or otherwise think it's still valid, please REOPEN it and if it is a platform or toolkit issue, move it to the according component. Query tag for this change: EXPIRED-20100420
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → EXPIRED
You need to log in before you can comment on or make changes to this bug.