bb wrote:
*On http://www.dillo.org/ I found the item News and a remark:
03-Jul-2009 Dillo-2.1.1 has been released to provide a security fix for malicious images. I am not shure what is meant with **malicious images? Are this so called Web bugs? If yes - how is the blocking done?
Here's the advisory about the image size problem: http://www.ocert.org/advisories/ocert-2009-008.html
I think there are some strategies possible to prevent a browser from a Web Bug attack:
1. Dont allow to load gifs or pngs from another URL as the actual page comes from. (I think to remember that firefox **originally **had such an option - not available in the actual version.)
Here's the beginning of a thread and a patch experimenting with this: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-September/006844.htm... (the "same host" option was found to be useless, but I'm still interested in "same domain")
2. I think one might prepare HTML/CSS not to load such gifs or pngs smaller than say about 5x5. Do you think such a measure is feasible in Dillo and could that really stop Web Bugs? But I think that there should not be a problem to make Web Bugs larger than 1x1pixel as long as they are transparent - may be I am wrong, I am just a simple minded user, not a web professional. So such a limit might be useless?
Here's a post and patch experimenting with rejecting images with a dimension of 0: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-December/007101.html
Are there other ideas? I am highly interested in that Web Bug problem.
I'm glad to hear this, since user interest may encourage things to happen...