Open Bug 299682 Opened 15 years ago Updated 7 years ago

[RFE] Equal treatment for external resources: IMG, OBJECT, CSS, XSLT, DTD, JavaScript, maybe Cookies, ...


(Core :: Image Blocking, enhancement)

Not set





(Reporter: Martin.vGagern, Unassigned)


(Whiteboard: DUPEME)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Firefox/1.0.4

There are several kinds of external resources around that might be referenced
from a page. Those include Images, embedded objects, external scripts or
stylesheets, and all kinds of secondary files for XML documents. It would be
nice if loading of these resources could be handled by some uniform and
finegrained configuration, including blacklisting, whitelisting, an "originating
domain only" policy, and for emails of course exceptions based on address books.

I'd also like to see some configuration to trust references from local files, so
that I can download and edit a file and still see it the way it would be on the
web, in the correct domain.

For some of those there are already bugs discussing the topics. I found the
bug #228698 (XSLT)
bug #22942  (DTD)
bug #145690 (IMG)
bug #184059 (IMG, Cookies)

It would perhaps also be good to discuss the security implications of those
settings. E.g. bug #22942 comment #25 mentions some kind of security issue for
DTDs, but I don't see this except in emails as a tracker. bug #228698 was marked
invalid because of security considerations, but I'd believe XSLT to be less
harmful than JavaScript, and remote JavaScript for a local page works just fine.

Many bugs discuss images and cookis simultaneousely, and treat them the same.
I'd disagree with this, as images are a external resource like the ones above,
and pose an annoyance and performance impact, while a cooky reduces the
anonymity of a user by tracking him across several requests. I'd rather group
images with JavaScript and all the things listed above. Nevertheless, the
mechanisms developed for cookie handling seem rather elaborate, so perhaps it is
worth considering them here as well, at least to reuse useful code.

Reproducible: Always

Steps to Reproduce:
There is a bug on this already.  All the back end is already in place; this is a
matter of hooking up the user interface and the actual content policies, which
can be easily done in JS if desired.
Whiteboard: DUPEME
Some more references:
bug #78104:  blocking images by regex, also mentions other media
bug #204140: user stylesheets and XBL
bug #94035:  media blocking based on mime type (long bug, read #140)
bug #33469:  general blacklists
bug #85601:  port based blocking
bug #165531: zone based control
bug #38966:  UI considerations

More sources of external resources: EMBED, APPLET, (IFRAME?), PopUps

Possibly some of those could be good search words:
nsIContentPolicy, nsIPermissionManager.
Assignee: security-bugs → nobody
QA Contact: image-blocking
You need to log in before you can comment on or make changes to this bug.