Closed
Bug 219918
Opened 21 years ago
Closed 21 years ago
loads image using javascript when "accept images from originating server only" is set
Categories
(Core :: Security, enhancement)
Tracking
()
RESOLVED
INVALID
People
(Reporter: bugzilla, Assigned: security-bugs)
References
()
Details
Attachments
(1 file)
|
11.92 KB,
text/html
|
Details |
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030828
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030828
Images from other servers can be loaded via javascript, although images
specified by HTML tags cannot.
1. search for <!-- Begin nav Ad Tag -->
2. compare the <script> and <noscript> options
3. the <noscript> version blocks a remote image correctly.
4. the <script> version loads image via a remote script regardless of image
Reproducible: Always
Steps to Reproduce:
Working case:
1. disable both javascript & remote image loading
2. go to the url http://www.whitepages.com.au/wp/
3. the ad images disappear (yay)
Not working case:
1. enable javascript & disable remote image loading
2. go to the url http://www.whitepages.com.au/wp/
3. the ad images appear, despite remote image loading being off (grr)
Actual Results:
nothing happens, just a remote image is loaded when you have asked for the
browser to not do that.. this would also be a good feature to avoid some cross
site scripting attacks maybe.
Expected Results:
Suggestion 1:
I'd suggest either pushing the image permissions through to the javascript
engine, or extend a similar functionality to javascript as there is for images.
Suggestion 2:
Specifically, add a security option "execute javascript from originating server
only" ?, specifically meaning limit the content of src= tags where javascript
gets loaded from if they are not from the originating server, or the code is
inline. This would still presumably allow the inline script to load remote
images as well.
An example is below a <script> and a <noscript> tag which are alike in function,
the javascript one fails to stop the remote image loading:
<script LANGUAGE="JavaScript1.1"
SRC="http://ad2.pamedia.com.au/js.ng/site=wp&position=navbar&adsize=194x55&transactionID=21743478"></SCRIPT>
<noscript>
<a
href="http://ad2.pamedia.com.au/click.ng/Params.richmedia=yes&site=wp&position=navbar&adsize=194x55&transactionID=21743478"><img
border=0
src="http://ad2.pamedia.com.au/image.ng/Params.richmedia=yes&site=wp&position=navbar&adsize=194x55&transactionID=21743478"></a>
</noscript>
|
||
Comment 1•21 years ago
|
||
The <script> writes out a flash plugin if it can. Otherwise it writes out an
image. Do you have flash installed? If so, does uninstalling it "solve" this bug?
|
Reporter | |
Comment 2•21 years ago
|
||
i dont have flash player installed, just java and mplayer plugins.
|
||
Comment 3•21 years ago
|
||
possibly the mplayer plugin supports displaying flash movies
|
|
Reporter | |
Comment 4•21 years ago
|
||
|
|
Reporter | |
Comment 5•21 years ago
|
||
Bugger. The ad in question is local. Sorry guys.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•