248857 - LINK'd and IFRAMEd objects are loaded in mail-news even if remote images disabled

Status: RESOLVED DUPLICATE of bug 28327

(MailNews Core :: Security, defect)

Description

[cryptor3]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514

Mailnews loads remote stylesheets in HTML-formatted messages.  This makes the
mailnews client vulnerable to web bugs that use the LINK or IFRAME tags.

I have enabled "Do not load remote images in Mail & Newsgroup messages."  My
understanding is that this feature exists in part to prevent mailnews from
loading web bugs.  

MailNews will also load remote IFRAMES, which is basically the same bug.

Reproducible: Always
Steps to Reproduce:
1. Create a stylesheet with unique formatting and host this on a remote web site.
2. Create an HTML formatted message with the HTML tag <link rel="stylesheet"
type="text/css" href="http://exampleserver/stylesheet.css">
where the href points to the stylesheet created in step 1.
3. Send the mail message and view in mailnews.

Results for IFRAME objects can be verified in a similar manner.
Actual Results:  
The formatting from stylesheet.css was applied to the mail message, indicating
that the remote stylesheet file had been loaded.

In the case of IFRAMEs, we see that the target page is displayed.

Expected Results:  
Mailnews should not load the remote stylesheet unless the "Do not load remote
images in Mail & Newsgroup messages" feature is unchecked.  

Alternatively, a new preference setting for loading remote style sheets and
remote IFRAMES in MailNews should be created.

Comment 1

[Daniel Veditz [:dveditz]]

*** This bug has been marked as a duplicate of 28327 ***