Closed Bug 344094 Opened 19 years ago Closed 16 years ago

RSS feeds with original HTML should not override Block Remote Images option

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pufiad, Assigned: mscott)

References

Details

(Whiteboard: [driver: WONTFIX?])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Build Identifier: version 1.5.0.4 (20060516) When both of the following two options are set: - Block loading of remote images in mail messages; - View Message body as Original HTML. then remote images are loaded anyway. This is a weird situation. For the user the two options are not related at all and just marking the Block loading options should block the loading of all images. If it is generally considered to be A Good Thing that remote images are loaded for Original HTML messages, then at least a warning must be included below the Block remote images option. Reproducible: Always Steps to Reproduce: 1. Set option "Block loading of remote images in mail messages". 2. Set option "View Message body as Original HTML". 3. Receive an HTML message with remote images. Actual Results: Remote images are loaded. Expected Results: Remote images are not loaded.
Those are the default settings and we've tested that remote images are not loaded. Do you have an example mail that exhibits this bug? Two potential explanations: a lot of spam has started to include *inline* images. The images are not "remote" so they are not blocked. (Personally I'd like to block all images until I hit the "show images" button, but that's not what the current privacy-oriented feature does.) Or, once you've hit the "load images" button for a particular mail we save that information into the index file and assume you always want to see the remote content for that mail. The only way to reset that state is to delete the index (.msf) file in question. (Another behavior I'm not fond of, but it's optimized for another way of working I guess.)
Assignee: dveditz → mscott
They are remote images indeed, but I just noticed that these are RSS messages. Again, with "original HTML" these remote images are loaded, but with "simple HTML" they are not. I have a feed that appears to use these "invisible" images for tracking purposes.
Ben, do you still see this? I didn't find a fixing bug
Whiteboard: closeme 2008-08-01
The problem still exists and it appears that it is a feature as described in the attachment to bug 152574: // (2) special case RSS urls, always allow them to load remote images since the user explicitly // subscribed to the feed. However, I do not agree with this comment. Although there may be legitimate uses for remote images in an RSS feed, they are also used for tracking purposes. Therefore the remote images must be treated as in any email message and be blocked if the user chose to set that option.
Update the bug title.
Summary: Original HTML should not override Block Remote Images option → RSS feeds with original HTML should not override Block Remote Images option
Didn't test, but i don't think there is a need to protect against images in rss feeds - the situation is fundamentally different from mails. Protecting against it in feeds is like browsing the web without images turned on. Or worse! If the feed isn't planeted or something, the feed provider can still check his logs for your connections to the main feed.
bienvenu, dmose: WONTFIX?
Whiteboard: closeme 2008-08-01 → [driver: WONTFIX?]
Yes, I think WONTFIX - Magnus summed it up pretty well.
Agreed; marking as WONTFIX. That said, this seems like fertile ground for an extension.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.