User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030905 Debian/1.4.0.x.1-6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030905 Debian/1.4.0.x.1-6 I received an email today with an embedded shockwave object, using the <object> tag. Despite having remote loading turned off, the shockwave object appeared and played anyways. Reproducible: Always Steps to Reproduce: 1. Disable remote loading 2. Receive HTML mail with shockwave object tag 3. View it Actual Results: The shockwave viewer is started and the animation plays. Expected Results: It should not be shown. This is the relevant HTML: <TD background="http://www.awesometvoffers.com/ideavillage/microtouch/v2/images/noplay.gif"><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0" width="188" height="152"><param name="movie" value="http://www.awesometvoffers.com/global/loader-v20.swf?Host=awesometvoffers&Client=ideavillage&Product=microtouch"/><param name="quality" value="high"/><embed src="http://www.awesometvoffers.com/global/loader-v20.swf?Host=awesometvoffers&Client=ideavillage&Product=microtouch" quality="high" pluginspage="https://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="188" height="152"></embed></object></TD>
Excuse the formatting errors. I wasn't sure it would be escaped for me.
15 years ago
Depends on: 191839
I got one of these today as well. I also feel it should be blocked if remote images are also not loaded: src="http://www.officialtvoffers.com/global/loader198x160.swf?w=188&h=131&Host=officialtvoffers&Client=telebrands&Product=naturalbra&text1=Powered by Livemercial&text2=Powered by Livemercial&text3=Powered by Livemercial&play_status=playing&sound_status=on"
go to Edit/Preferences/Advanced/Scripts & Plugins to disable plugins in mail. If you want to disable all remote loading (which includes plugins) this is bug 28327. Please close this bug if the above helps or add another comment if it doesn't.
Seth, this is that issue we were talking about sometime... the remote images pref should apply to objects as well, not just images, probably.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Boris, is the purported dupe (DUPEME) intended to mean bug 28327? (In reply to comment #4) > Seth, this is that issue we were talking about sometime... the remote images > pref should apply to objects as well, not just images, probably. Not only has this screening been done -- on the trunk, I'm not able to get an <object> with embedded data to render within a message; bug 333170.
sorry for the spam. making bugzilla reflect reality as I'm not working on these bugs. filter on FOOBARCHEESE to remove these in bulk.
Assignee: sspitzer → nobody
Filter on "Nobody_NScomTLD_20080620"
QA Contact: junruh → security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.