Closed Bug 325908 Opened 19 years ago Closed 18 years ago

message pane downloads external linked .css urls even though images aren't downloaded.

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: matthew, Assigned: mscott)

Details

(Keywords: privacy, Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: version 1.5 (20051201)

Expected behavior is for all external linked items to NOT be downloaded, including .css files and .js files.  This issue makes the image download prevention kind of useless from a privacy perspective.

Reproducible: Always

Steps to Reproduce:
1. confirm that "block remote images" is set in options... privacy tab.  Make sure your Mozilla cache is empty.
2. receive an email message with an externally linked .css stylesheet. for example: <link href="/uploads/9c/fU/9cfU1QrIfYG2vNpLZwI0KQ/styles.css" rel="stylesheet" type="text/css">    Note that a <base href="someServer"> is also in the source of the text/html MIME attachment.
3. preview the message in the Message Pane.  
4. Notice that the .css styles are applied, which means the .css file was downloaded.
5. Check that http server's logs (assuming you have access) to verify that the .css file was downloaded.
Actual Results:  
.css file was downloaded from the http server, and the externally linked images were not.

Expected Results:  
not downloaded the .css files.
Could you provide a testcase? You could mail it to me, for example, with this bug number in the subject. In the test cases I constructed Thunderbird did not download remote .css files. Tried an absolute URI and a relative+base as described in step 2.

Once I hit the "show images" button it seemed to remember that for that message, even after quitting Thunderbird and re-launching. Deleting the index file (.msf) for the folder cleared it, as did marking the message Junk followed-by not-junk. But on initial receipt the CSS files were definitely blocked as remote content.

Need more specifics otherwise will have to close "worksforme".
Keywords: privacy
Whiteboard: [sg:needinfo]
I should have mentioned; the <base href="https://someServer/"> was SSL.  Not sure if that matters...
Really do need a testcase here.  The external stuff blocking code treats stylesheets and images exactly the same way, and is definitely called for stylesheets....  So as far as I can tell from code inspection, this bug should be impossible.
I went back and tried it again, and it didn't fetch the .css file.  But it does fetch it from cache if it's been downloaded before, if the cache hasn't been cleared.  and any image urls specified in that .css file might be downloaded.  I'll test more thoroughly later today.
Severity: major → minor
> But it does fetch it from cache if it's been downloaded before

Even that shouldn't be happening...
WFM without an example mail. We did fix a similar bug in 1.5.0.2 that involved an in-line stylesheet referencing an external stylesheet, but that doesn't sound like this case.
http://www.mozilla.org/security/announce/2006/mfsa2006-26.html
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.