Closed Bug 479103 Opened 15 years ago Closed 15 years ago

<script src="http://attack-site.com"> does not trigger safe-browsing alert

Categories

(Toolkit :: Safe Browsing, defect)

x86
Linux
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 441359

People

(Reporter: advax, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6

While following a link to a listed phishing site gives a big red alert and a red banner on each page if ignored, referring to a script on a listed site does not.
Nor does putting an image inline.

I don't have access to a real listed site to test exhaustively. If I create a page which sources a non-existant script on a listed site, Firefox silently downloads the URL from the site as verified with Wireshark
I have only tried a URL which returns 404

The safe browsing filter should warn on any attempts to contact a listed site, whether by inline image, script, redirect, iframe, ftp etc. etc.

Reproducible: Always
Component: General → Phishing Protection
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.