Bug#417796: mozilla-browser: possible information exposure
Mike Hommey
mh at glandium.org
Fri Apr 6 05:57:23 UTC 2007
tag 417796 wontfix
thanks
On Wed, Apr 04, 2007 at 05:35:44PM +0200, Caspar Bothmer <caspar-debian at cbothmer.org> wrote:
> Package: mozilla-browser
> Version: 2:1.7.8-1sarge10
> Severity: important
>
> It is possible to get information about the users' behaviour using css.
> I best show it by example:
>
> <html>
> <head>
> <style type="text/css">
> #24678:hover
> {
> background-image:url("24678.png")
> }
> #22578:hover
> {
> background-image:url("22578.png")
> }
> </style>
> </head>
> <body>
> <p id="24678">item 1</p>
> <p id="22578">item 2</p>
> </body>
> </html>
>
> The first time you move the mouse over the marked element, the browser
> tries to load and display the image in background. This will be logged
> on the remote server.
>
> There is no need for javascript to ba active.
OMFFSM, when I click on a link, that is logged on a remote server !
That's my privacy being violated !
Do you realize your claim sounds pretty ridiculous ?
Mike
More information about the pkg-mozilla-maintainers
mailing list