Bug#417796: mozilla-browser: possible information exposure
Caspar Bothmer
caspar-debian at cbothmer.org
Wed Apr 4 15:35:44 UTC 2007
Package: mozilla-browser
Version: 2:1.7.8-1sarge10
Severity: important
It is possible to get information about the users' behaviour using css.
I best show it by example:
<html>
<head>
<style type="text/css">
#24678:hover
{
background-image:url("24678.png")
}
#22578:hover
{
background-image:url("22578.png")
}
</style>
</head>
<body>
<p id="24678">item 1</p>
<p id="22578">item 2</p>
</body>
</html>
The first time you move the mouse over the marked element, the browser
tries to load and display the image in background. This will be logged
on the remote server.
There is no need for javascript to ba active.
To stop this behaviour one can block images from a given server, but
that isn't a viable option.
A possible solution would be to get all content at once and keep it in
cache to display it on demand.
I don't know if newer versions of mozilla/iceape are affected by this.
I set this bug report to important as this issue should be fixed easily.
caspar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20070404/89444468/signature-0001.pgp
More information about the pkg-mozilla-maintainers
mailing list