Bug#417796: mozilla-browser: possible information exposure

Caspar Bothmer caspar-debian at cbothmer.org
Wed Apr 4 15:35:44 UTC 2007


Package: mozilla-browser
Version: 2:1.7.8-1sarge10
Severity: important

It is possible to get information about the users' behaviour using css.
I best show it by example:

<html>
  <head>
   <style type="text/css">
    #24678:hover
    {
      background-image:url("24678.png")
    }
    #22578:hover
    {
     background-image:url("22578.png")
    }
   </style>
  </head>
  <body>
   <p id="24678">item 1</p>
   <p id="22578">item 2</p>
  </body>
</html>

The first time you move the mouse over the marked element, the browser 
tries to load and display the image in background.  This will be logged 
on the remote server.

There is no need for javascript to ba active.

To stop this behaviour one can block images from a given server, but 
that isn't a viable option.

A possible solution would be to get all content at once and keep it in 
cache to display it on demand.

I don't know if newer versions of mozilla/iceape are affected by this.

I set this bug report to important as this issue should be fixed easily.


caspar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20070404/89444468/signature-0001.pgp


More information about the pkg-mozilla-maintainers mailing list