Closed
Bug 325908
Opened 19 years ago
Closed 18 years ago
message pane downloads external linked .css urls even though images aren't downloaded.
Categories
(Thunderbird :: Mail Window Front End, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: matthew, Assigned: mscott)
Details
(Keywords: privacy, Whiteboard: [sg:needinfo])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: version 1.5 (20051201) Expected behavior is for all external linked items to NOT be downloaded, including .css files and .js files. This issue makes the image download prevention kind of useless from a privacy perspective. Reproducible: Always Steps to Reproduce: 1. confirm that "block remote images" is set in options... privacy tab. Make sure your Mozilla cache is empty. 2. receive an email message with an externally linked .css stylesheet. for example: <link href="/uploads/9c/fU/9cfU1QrIfYG2vNpLZwI0KQ/styles.css" rel="stylesheet" type="text/css"> Note that a <base href="someServer"> is also in the source of the text/html MIME attachment. 3. preview the message in the Message Pane. 4. Notice that the .css styles are applied, which means the .css file was downloaded. 5. Check that http server's logs (assuming you have access) to verify that the .css file was downloaded. Actual Results: .css file was downloaded from the http server, and the externally linked images were not. Expected Results: not downloaded the .css files.
Comment 1•19 years ago
|
||
Could you provide a testcase? You could mail it to me, for example, with this bug number in the subject. In the test cases I constructed Thunderbird did not download remote .css files. Tried an absolute URI and a relative+base as described in step 2. Once I hit the "show images" button it seemed to remember that for that message, even after quitting Thunderbird and re-launching. Deleting the index file (.msf) for the folder cleared it, as did marking the message Junk followed-by not-junk. But on initial receipt the CSS files were definitely blocked as remote content. Need more specifics otherwise will have to close "worksforme".
Keywords: privacy
Whiteboard: [sg:needinfo]
Reporter | ||
Comment 2•19 years ago
|
||
I should have mentioned; the <base href="https://someServer/"> was SSL. Not sure if that matters...
Comment 3•19 years ago
|
||
Really do need a testcase here. The external stuff blocking code treats stylesheets and images exactly the same way, and is definitely called for stylesheets.... So as far as I can tell from code inspection, this bug should be impossible.
Reporter | ||
Comment 4•19 years ago
|
||
I went back and tried it again, and it didn't fetch the .css file. But it does fetch it from cache if it's been downloaded before, if the cache hasn't been cleared. and any image urls specified in that .css file might be downloaded. I'll test more thoroughly later today.
Severity: major → minor
Comment 5•19 years ago
|
||
> But it does fetch it from cache if it's been downloaded before
Even that shouldn't be happening...
Comment 6•18 years ago
|
||
WFM without an example mail. We did fix a similar bug in 1.5.0.2 that involved an in-line stylesheet referencing an external stylesheet, but that doesn't sound like this case. http://www.mozilla.org/security/announce/2006/mfsa2006-26.html
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•