Bug#417796: mozilla-browser: possible information exposure

Caspar Bothmer Wed, 04 Apr 2007 08:45:57 -0700

Package: mozilla-browser
Version: 2:1.7.8-1sarge10
Severity: important


It is possible to get information about the users' behaviour using css.
I best show it by example:

<html>
 <head>
  <style type="text/css">
   #24678:hover
   {
     background-image:url("24678.png")
   }
   #22578:hover
   {
    background-image:url("22578.png")
   }
  </style>
 </head>
 <body>
  <p id="24678">item 1</p>
  <p id="22578">item 2</p>
 </body>
</html>

The first time you move the mouse over the marked element, the browser tries to load and display the image in background. This will be logged on the remote server.


There is no need for javascript to ba active.

To stop this behaviour one can block images from a given server, but that isn't a viable option.

A possible solution would be to get all content at once and keep it in cache to display it on demand.


I don't know if newer versions of mozilla/iceape are affected by this.

I set this bug report to important as this issue should be fixed easily.


caspar

signature.asc
Description: OpenPGP digital signature

Bug#417796: mozilla-browser: possible information exposure

Reply via email to