<script src="http://attack-site.com"> does not trigger safe-browsing alert

VERIFIED DUPLICATE of bug 441359

Status

()

VERIFIED DUPLICATE of bug 441359
10 years ago
5 years ago

People

(Reporter: advax, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6

While following a link to a listed phishing site gives a big red alert and a red banner on each page if ignored, referring to a script on a listed site does not.
Nor does putting an image inline.

I don't have access to a real listed site to test exhaustively. If I create a page which sources a non-existant script on a listed site, Firefox silently downloads the URL from the site as verified with Wireshark
I have only tried a URL which returns 404

The safe browsing filter should warn on any attempts to contact a listed site, whether by inline image, script, redirect, iframe, ftp etc. etc.

Reproducible: Always
(Reporter)

Updated

10 years ago
Component: General → Phishing Protection
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 441359
Status: RESOLVED → VERIFIED
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.