Closed
Bug 209902
Opened 22 years ago
Closed 21 years ago
Images from same 2nd-level domain and another 3rd-level domain shouldn't be blocked
Categories
(Core :: Graphics: Image Blocking, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sinchi, Assigned: mvl)
References
()
Details
(Keywords: fixed1.4.1)
Attachments
(1 file, 1 obsolete file)
1.39 KB,
patch
|
mvl
:
review+
bzbarsky
:
superreview+
mkaply
:
approval1.4.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612
Build Identifier: Mozilla 1.4 RC2
Images from same 2nd-level domain and another 3rd-level domain are blocked.
Older Mozilla builds including 1.4 RC1 show it.
I consider old behavior to be more useful.
See URL for example: page site is www.yandex.ru, images source site is
im-tub.yandex.ru.
Reproducible: Always
Steps to Reproduce:
Comment 1•22 years ago
|
||
Did you set things to not load images from other servers? Because www.yandex.ru
and im-tub.yandex.ru are different servers....
Of course, yes. I always use option "Accept images from originating server only".
But previous behavior (showing images from another 3rd-level domain if 2nd-level
domain is the same) I guess to be more smart and usable. Moz 1.2.1, 1.3.1 and
even 1.4rc1 do so.
If I didn't want see images from another 3rd-level domain, I simply choosed
"Block Images from this Server in image context menu.
Btw, even in Bugzilla if you use use option "Accept images from originating
server only", you now can't see Mozilla logo at top of page.
Comment 3•22 years ago
|
||
Hmm? We should never have loaded those other images.. certainly nothing between
rc1 and rc2 should have changed here...
Formally you're absolutely right.
But previous behavior was more handly. Often images on big sites are placed on
hosts beginning with "img." or "image.". Formerly (even in 1.4rc1) I saw it, now
- no.
Especially unpleasant this bug is because that bug 47475 still isn't fixed.
Assignee | ||
Comment 5•22 years ago
|
||
There has always been code that made "only images from originating server" mean
"only images from the same 2nd level domain, even if the 3rd and higher domains
are different".
But that code was broken, but has been for a while. So 1.4rc1 should be broken
too.
Anyway, a patch.
Assignee | ||
Updated•22 years ago
|
Attachment #126004 -
Flags: superreview?(bzbarsky)
Attachment #126004 -
Flags: review?(dwitte)
Updated•22 years ago
|
Attachment #126004 -
Flags: review?(dwitte) → review+
Assignee | ||
Comment 6•22 years ago
|
||
-> me
Assignee: mstoltz → mvl
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 7•22 years ago
|
||
Comment on attachment 126004 [details] [diff] [review]
fix tail matching function
>+ const nsACString &firstTail = Substring(firstHost, firstHost.Length() - tail.Length(), tail.Length());
...
>+ if ((firstHost.Length() > tail.Length() &&
Um. That check really needs to happen _before_ that Substring() call, no? The
Substring() impl will happily read past start of string otherwise...
The rest looks fine, but please fix that.
Attachment #126004 -
Flags: superreview?(bzbarsky) → superreview-
Assignee | ||
Comment 8•22 years ago
|
||
Added the length check. Can't remove it from the other if. We also want aaa.com
to match when visiting www.aaa.com, so firstHost having the same length as tail
is a special case.
Attachment #126004 -
Attachment is obsolete: true
Assignee | ||
Comment 9•22 years ago
|
||
Comment on attachment 126049 [details] [diff] [review]
updated, check length
carrying forward r=dwitte
Attachment #126049 -
Flags: superreview?(bzbarsky)
Attachment #126049 -
Flags: review+
Comment 10•22 years ago
|
||
Comment on attachment 126049 [details] [diff] [review]
updated, check length
There we go. ;)
Attachment #126049 -
Flags: superreview?(bzbarsky) → superreview+
Comment 11•22 years ago
|
||
Comment on attachment 126049 [details] [diff] [review]
updated, check length
Checked in. It may be a good idea to take this for 1.4 as well... small simple
change that fixes a pretty major problem with this option.
Attachment #126049 -
Flags: approval1.4?
Comment 12•22 years ago
|
||
*** Bug 204887 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 13•22 years ago
|
||
Nice!
One question: if I see site via IP instead of DNS name (e.g.
http://207.200.81.215/ instead if http://www.mozilla.org/), does this patch
allow see images from (e.g.) 192.168.81.215? This should be denied.
Comment 14•22 years ago
|
||
No, it doesn't, unfortunately. It should.
it sucks that this code is forked between cookies & images - they should really
be using a common function.
Comment 15•22 years ago
|
||
of course, by "no, it doesn't", I meant "no, it doesn't work properly". as in,
it's broken like you say. ;)
Reporter | ||
Comment 16•22 years ago
|
||
Can we add fork with checking last DNS suffix ("org" or "215" in this case)? If
it's a valid number, we have an IP and hosts must be compared strictly; if it
isn't a number, we have a DNS name and hosts must be compared by 2nd-level domain.
Yet another suggestion: DNS names should be lowercased before comparing.
mozilla.org and Mozilla.Org are the same host.
Comment 17•22 years ago
|
||
>Can we add fork with checking last DNS suffix ("org" or "215" in this case)? If
>it's a valid number, we have an IP and hosts must be compared strictly; if it
>isn't a number, we have a DNS name and hosts must be compared by 2nd-level
>domain.
Cookies already handles this correctly; it's just a matter of making images use
this function (or fixing it separately)
>Yet another suggestion: DNS names should be lowercased before comparing.
>mozilla.org and Mozilla.Org are the same host.
nsIURI's are canonicalized during parsing, so this isn't an issue.
Comment 18•22 years ago
|
||
Site 'www.apple.com' fails to load images with 'accept from originating server
only' selected.
They use image loading through akamai.net. E.g.,
src="http://a772.g.akamai.net/7/772/51/6c91a531b2fde3/www.apple.com/t/2002/us/en/i/1bg.gif"
Comment 19•22 years ago
|
||
what's wrong with that?
Reporter | ||
Comment 20•22 years ago
|
||
Jim. I guess this to be correct behavior. apple.com and akamai.net are
absolutely different domains and browser would need redundant intelligence to
load these images if "Accept images from originating server only" is checked.
Solution may be like in Popup Management: you point servers to always load
images from regardless of current site URL. Of course, you should open another
bug for this issue.
Reporter | ||
Comment 21•22 years ago
|
||
Hope to see it in 1.4 release
Summary: Images from same 2nd-level domain and another 3rd-level domain are blocked → Images from same 2nd-level domain and another 3rd-level domain shouldn't be blocked
Assignee | ||
Comment 22•22 years ago
|
||
*** Bug 211356 has been marked as a duplicate of this bug. ***
Comment 23•22 years ago
|
||
Comment on attachment 126049 [details] [diff] [review]
updated, check length
moving approval request forward.
Attachment #126049 -
Flags: approval1.4? → approval1.4.x?
Comment 25•22 years ago
|
||
Comment on attachment 126049 [details] [diff] [review]
updated, check length
a=mkaply
Attachment #126049 -
Flags: approval1.4.x? → approval1.4.x+
Comment 26•22 years ago
|
||
Please add fixed1.4.1 keyword when this is checked in.
Flags: blocking1.4.x+
Reporter | ||
Comment 27•21 years ago
|
||
OK, good work, but there are 2 issues here.
1. Important. Strict checking for numeric IPs, see comment 16.
2. Less important, but seems significant. Some 2nd-level subdomains in national
domains are public (e.g. ".co.uk", ".org.ru", ".net.au" etc.). DNS ending of
such domains should be compared by 3rd-level domain name.
Comment 28•21 years ago
|
||
checked in to MOZILLA_1_4_BRANCH.
Assignee | ||
Comment 29•21 years ago
|
||
manko: this bug is about a very specific regression. The comment on the IP
numbers should be in another bug. Don't know if it is filed already.
The comment on .co.uk is also a different problem, but don't hold your breath on
it ever getting fixed. How do you know the if wx.yz is a .com or a .co.uk like
domain?
Reporter | ||
Comment 30•21 years ago
|
||
Yes, we can't know all public domains in all countries. But, I think, simple
euristic - treating as public "co", "com", "org" and "net" subdomains in any
2-letter 1st-level domain - would be enough.
Assignee | ||
Comment 31•21 years ago
|
||
My main point was: this bug is fixed :) Please search for another bug, or open a
new one.
Comment 33•21 years ago
|
||
*** Bug 219316 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•