Maybe we can just block link type=* ? ----- Forwarded message from Andrew Rodland <arodland at noln.com> -----
From: Andrew Rodland <[email protected]> Organization: Dis Organization To: toad at amphibian.dyndns.org Subject: Anonymity filter breakage I've come up with another way to bypass the anonymity filter, in the spirit of the "IE allows sites to compromise your anonymity" attack, except this one is far from IE-specific. In fact, it works (so far) on IE, Konqueror, and K-Meleon (assuming Mozilla as well, it's all gecko). All it takes is to generate a piece of CSS that says: body { background-image: url(http://www.somewhere.com/something.png) } and upload it _as text/plain_, and then in your page say <link rel="stylesheet" href="my stylesheet.txt" type="text/css">. Every browser I can find will infer from the tag that the file should be interpreted as CSS, even though the server reports that it's text/plain. I don't see any way for the filter to handle this, except to get paranoid and even warn on text/plain files. Really it's a browser issue, but the "correct" browser fix would probably cause problems on a bunch of broken http servers (not that that's the browser's fault, but it would make many unwilling). Maybe it is time for a freenet browser, based on fcplib and a custom gecko, that doesn't even know what HTTP is. (and/or a web browser that's incredibly tight about privacy and anonymity) Anyway, Cheers --hobbs ----- End forwarded message ----- -- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021224/f34c4852/attachment.pgp>
