IMG tags in NNTP posts cannot be blocked

RESOLVED DUPLICATE of bug 272984

Status

Thunderbird
Mail Window Front End
--
enhancement
RESOLVED DUPLICATE of bug 272984
12 years ago
12 years ago

People

(Reporter: bruce, Assigned: Scott MacGregor)

Tracking

({privacy})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9
Build Identifier: version 1.5.0.9 (20061207)

An NNTP article includes an <IMG src="http://badsite/....jpg">.
Thunderbird does not block the image (even though "Privacy/General/Block loading of remote images in mail messages" is checked).
I assume thunderbird sent an HTTP request to badsite, and badsite now has (at a minimum) my IP address.
This is a privacy/security problem.  The 'Block loading of remote images' preference should also apply to NNTP.

Reproducible: Didn't try

Steps to Reproduce:
I dont have access to a webserver to emulate the badsite.  But try this:
1.Set the 'Block loading of remote images...' checkbox.
2.Create an NNTP article with an imbedded <IMG src=http://yourserver/...jpg> tag.
3.In thunderbird, read the article.

Actual Results:  
I see the image.

Expected Results:  
The yellow 'thunderbird has blocked images' message should appear.

I have not tested this for RSS.  I expect a similar problem.
This is a legit enhancement request so confirming, but this may be an explicit decision for news (I'm not a mail guy).

In the meantime, for your own protection you can use the View menu to show message bodies as "Simple HTML" which will strip out all images regardless. Or even use "plain text" which is really what news should be anyway. Unfortunately the view setting is global, would be nice if it were per account.
Group: security
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy

Comment 2

12 years ago
(In reply to comment #1)
> you can use the View menu to show
> message bodies as "Simple HTML" which will strip out all images regardless. 

No, it doesn't, not by default.  You can tweak to cause this behavior, however, by adjusting the pref
  mailnews.display.html_sanitizer.allowed_tags
to either remove the "img(...)" part entirely, or remove the 'src' from the parenthesized list.


> Unfortunately the view setting is global, would be nice if it were per
> account.

Per-folder:  bug 233109

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 272984
You need to log in before you can comment on or make changes to this bug.