Closed
Bug 501455
Opened 15 years ago
Closed 14 years ago
Possible to bypass image blocking with data: url
Categories
(Core :: Graphics: Image Blocking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 331257
People
(Reporter: Natch, Assigned: Natch)
References
Details
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
bzbarsky
:
review-
|
Details | Diff | Splinter Review |
The content blocker doesn't check the principal uri, it checks the actual image uri and will bail on a data: image (and others).
|
Assignee | |
Updated•15 years ago
|
Flags: in-testsuite?
Flags: blocking1.9.2?
|
|
Assignee | |
Comment 1•15 years ago
|
||
Joe, I think this is in your ballpark, would you be ok with me changing it to pass in the principal uri?
I'd have to change the front-end code as well to block on the prinicpal uri, that should be doable with imgIRequest I think.
|
||
Comment 2•15 years ago
|
||
In principle I have no problem with that, I think, but I'd have to see the patch to say for sure.
|
|
Assignee | |
Comment 3•15 years ago
|
||
Ok, sorry about that. The principal is already handed to the content blocker, it just fails to use it. I changed nsContentBlocker to use the principal uri if the first uri isn't scheme compatible. This fixes the testcase on this bug for me, I'll create a test and request review.
Assignee: nobody → highmind63
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2-
|
||
Comment 6•14 years ago
|
||
Comment on attachment 387690 [details] [diff] [review]
patch -test
This patch is wrong; for example it'll prevent loading of chrome:// images from http pages, thus breaking various parts of the browser UI and various extensions.
Attachment #387690 -
Flags: review-
|
|
||
Comment 7•14 years ago
|
||
Also, this is a duplicate....
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•