Embedded object tag executed despite no remote-loading preference

NEW
Unassigned

Status

MailNews Core
Security
15 years ago
10 years ago

People

(Reporter: Max, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030905 Debian/1.4.0.x.1-6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030905 Debian/1.4.0.x.1-6

I received an email today with an embedded shockwave object, using the <object>
tag.  Despite having remote loading turned off, the shockwave object appeared
and played anyways.

Reproducible: Always

Steps to Reproduce:
1. Disable remote loading
2. Receive HTML mail with shockwave object tag
3. View it
Actual Results:  
The shockwave viewer is started and the animation plays.

Expected Results:  
It should not be shown.



This is the relevant HTML:

&lt;TD
background="http://www.awesometvoffers.com/ideavillage/microtouch/v2/images/noplay.gif"><object
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0"
width="188" height="152">&lt;param name="movie"
value="http://www.awesometvoffers.com/global/loader-v20.swf?Host=awesometvoffers&Client=ideavillage&Product=microtouch"/><param
name="quality" value="high"/>&lt;embed
src="http://www.awesometvoffers.com/global/loader-v20.swf?Host=awesometvoffers&Client=ideavillage&Product=microtouch"
quality="high" pluginspage="https://www.macromedia.com/go/getflashplayer"
type="application/x-shockwave-flash" width="188"
height="152">&lt;/embed>&lt;/object>&lt;/TD>
(Reporter)

Comment 1

15 years ago
Excuse the formatting errors.  I wasn't sure it would be escaped for me.
Depends on: 191839
Whiteboard: DUPEME

Comment 2

14 years ago
I got one of these today as well. I also feel it should be blocked if remote
images are also not loaded:

src="http://www.officialtvoffers.com/global/loader198x160.swf?w=188&h=131&Host=officialtvoffers&Client=telebrands&Product=naturalbra&text1=Powered
by Livemercial&text2=Powered by Livemercial&text3=Powered by
Livemercial&play_status=playing&sound_status=on"

Comment 3

14 years ago
go to Edit/Preferences/Advanced/Scripts & Plugins 
to disable plugins in mail.

If you want to disable all remote loading (which includes plugins) this is bug
28327.

Please close this bug if the above helps or add another comment if it doesn't.
Seth, this is that issue we were talking about sometime...  the remote images
pref should apply to objects as well, not just images, probably.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: MailNews → Core

Comment 5

12 years ago
Boris, is the purported dupe (DUPEME) intended to mean bug 28327?

(In reply to comment #4)
> Seth, this is that issue we were talking about sometime...  the remote images
> pref should apply to objects as well, not just images, probably.

Not only has this screening been done -- on the trunk, I'm not able to get an <object> with embedded data to render within a message; bug 333170.
sorry for the spam.  making bugzilla reflect reality as I'm not working on these bugs.  filter on FOOBARCHEESE to remove these in bulk.
Assignee: sspitzer → nobody
Filter on "Nobody_NScomTLD_20080620"
QA Contact: junruh → security
(Assignee)

Updated

10 years ago
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.