Closed Bug 658048 Opened 13 years ago Closed 13 years ago

Blocking Images from Firefox -> Tools -> Options menu does not block all images (inline images, websites icons)

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
4.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 331257

People

(Reporter: marin.ionut86, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

When blocking images from Firefox: Tools -> Options -> Content" -> uncheck "Load images automatically", the image data URIs (inline images) are still displayed:

The following form doesn`t require Javascript to display the inline image (blocking images and Javascript from Firefox menu has no effect). This can be dangerous, if the images contain malware:
<img src="data:image/...." alt="Inline Image" />

GIF, base 64:
data:image/gif;base64,R0lGODdhMAAwAPAAAAAAAP///ywAAAAAMAAwAAAC8IyPqcvt3wCcDkiLc7C0qwyGHhSWpjQu5yqmCYsapyuvUUlvONmOZtfzgFzByTB10QgxOR0TqBQejhRNzOfkVJ+5YiUqrXF5Y5lKh/DeuNcP5yLWGsEbtLiOSpa/TPg7JpJHxyendzWTBfX0cxOnKPjgBzi4diinWGdkF8kjdfnycQZXZeYGejmJlZeGl9i2icVqaNVailT6F5iJ90m6mvuTS4OK05M0vDk0Q4XUtwvKOzrcd3iq9uisF81M1OIcR7lEewwcLp7tuNNkM3uNna3F2JQFo97Vriy/Xl4/f1cf5VWzXyym7PHhhx4dbgYKAAA7

PNG, base 64:
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB9EFBAoYMhVvMQIAAAAtSURBVHicY/z//z8DHoBH+v///yy4FDEyMjIwMDDhM3lgpaEuh7gTEzDiDxYA9HEPDF90e5YAAAAASUVORK5CYII=

SVG:
data:image/svg+xml
e.g.: http://upload.wikimedia.org/wikipedia/commons/6/6b/Bitmap_VS_SVG.svg

JPEG/JPG, base64:
<img src="data:image/jpg;base64, base64_encoded_jpg_data" />

and all image formats supported by Firefox

----

Also, please consider that when blocking images, the ICO and other icon image formats (PNG, GIF, ...) should also be blocked, because the icon files of a website can also carry viruses:
e.g.:
http://forum.avast.com/index.php?topic=54094.0;wap2
https://badwarebusters.org/main/itemview/18916
Because the icon of a website can be infected, when bookmarking the website also the icon should not be stored in bookmarks if blocking images is enabled.
	
ICO, base64:
data:image/ico;base64
data:image/x-icon;base64

<Image width="16" height="16">data:image/x-icon;base64,imageData</Image>
<link href='data:image/x-icon;base64,THE_BASE64_CODE_GOES_HERE' rel='icon' type='image/x-icon'/>
<link rel="icon" type="image/vnd.microsoft.icon" href="favicon.ico" />
<link rel="shortcut icon" href="pictures/favicon2.gif">
<os:Image width="16" height="16">data:image/x-icon;base64,AAABAA... </os:Image>


CSS:

div.image {
  width:100px;
  height:100px;
  background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA...);
}

background: url(data:image/gif;base64, ..

---------------

This one requires JavaSCript:
<object data="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB9EFBAoYMhVvMQIAAAAtSURBVHicY/z//z8DHoBH+v///yy4FDEyMjIwMDDhM3lgpaEuh7gTEzDiDxYA9HEPDF90e5YAAAAASUVORK5CYII=">
</object>


---------------
Note: Some tests are from http://www-archive.mozilla.org/quality/networking/testing/datatests.html

Reproducible: Always

Steps to Reproduce:
1.Tools -> Options -> Content" -> uncheck "Load images automatically"
2.Load a page with an inline image: <img src="data:image/...." alt="Inline Image" />

Actual Results:  
The image is still displayed

Expected Results:  
The image shoulf not be displayed
Version: unspecified → 4.0 Branch
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.