Bug#417796: mozilla-browser: possible information exposure

Mike Hommey mh at glandium.org
Fri Apr 6 05:57:23 UTC 2007


tag 417796 wontfix
thanks

On Wed, Apr 04, 2007 at 05:35:44PM +0200, Caspar Bothmer <caspar-debian at cbothmer.org> wrote:
> Package: mozilla-browser
> Version: 2:1.7.8-1sarge10
> Severity: important
> 
> It is possible to get information about the users' behaviour using css.
> I best show it by example:
> 
> <html>
>  <head>
>   <style type="text/css">
>    #24678:hover
>    {
>      background-image:url("24678.png")
>    }
>    #22578:hover
>    {
>     background-image:url("22578.png")
>    }
>   </style>
>  </head>
>  <body>
>   <p id="24678">item 1</p>
>   <p id="22578">item 2</p>
>  </body>
> </html>
> 
> The first time you move the mouse over the marked element, the browser 
> tries to load and display the image in background.  This will be logged 
> on the remote server.
> 
> There is no need for javascript to ba active.

OMFFSM, when I click on a link, that is logged on a remote server !
That's my privacy being violated !

Do you realize your claim sounds pretty ridiculous ?

Mike





More information about the pkg-mozilla-maintainers mailing list