Open
Bug 211085
Opened 22 years ago
Updated 2 years ago
XUL applications bypass image blocking when loading remote images
Categories
(Core :: Graphics: Image Blocking, defect)
Core
Graphics: Image Blocking
Tracking
()
NEW
People
(Reporter: timwatt, Unassigned)
Details
Currently, XUL's nsImageBoxFrame fail to check with content policy before
loading remote images. I'm still investigating where a content policy check
could be injected; ::UpdateImage is looking like a reasonable candidate.
Note that placing a check here will necessitate the removal of the content
policy check from nsImageLoadingContent.cpp, since everybody goes through
nsImageBoxFrame, and there's no good reason for duplicate content policy checks.
|
||
Comment 1•22 years ago
|
||
It looks like a bug I saw in thunderbird. Even having unckecked "load remote
image" in TB preferences, some mails are loading them.
|
||
Comment 2•22 years ago
|
||
> Note that placing a check here will necessitate the removal of the content
> policy check from nsImageLoadingContent.cpp, since everybody goes through
> nsImageBoxFrame
I can't name a single case when a caller would go through both
nsImageLoadingContent and nsImageBoxFrame. Can you?
re: comment 2: nope; I had misunderstood some output; ignore that part of the
comment.
|
||
Updated•18 years ago
|
Assignee: security-bugs → nobody
|
||
Updated•16 years ago
|
QA Contact: image-blocking
|
||
Updated•2 years ago
|
Severity: minor → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•