On Mon, Dec 23, 2002 at 11:48:47PM -0500, Andrew Rodland wrote: > On Monday 23 December 2002 10:43 pm, Matthew Toseland wrote: > > Maybe we can just block link type=* ? > > > I get a feeling that that won't work. > I'm betting that a too-large contingent of browsers will either > 1) reject the stylesheet outright if there isn't a type= in the link tag (I > think maybe they're even supposed to do that), > or 2) treat the stylesheet as CSS regardless of both the type= and the > mimetype (only IE comes to mind here, though -- although on first check, > Konqy seems to do it as well -- at least for local docs. Will verify online > soon.) Hmm. Well in that case... we would have to either disallow external stylesheets, or have the anonymity filter check the MIME type of the stylesheet (by fetching its headers... is it the last found or the first found MIME type that is respected? I.E. would we have to fetch the whole file, or could we get away with the first thing on the chain that specifies a MIME type?), to make sure it matches that specified in the tag... Can anyone think of a simple solution short of disabling external stylesheets? > > > ----- Forwarded message from Andrew Rodland <arodland at noln.com> ----- > [summary of attack against anonymity filter using CSS and mimetype trickery] >
-- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021224/509bda58/attachment.pgp>
