diff options
| author | Eric Wong <e@80x24.org> | 2020-11-23 14:15:35 +0000 |
|---|---|---|
| committer | Eric Wong <e@80x24.org> | 2020-11-24 16:16:17 +0000 |
| commit | 46cbc5a7a4ba917bd7154be3b6e6898420ff85d3 (patch) | |
| tree | 905ee5cf80452fbe8e963b5c5badfc2e4b8b5e64 /lib/PublicInbox/NNTP.pm | |
| parent | d63bd02ca7ef26190d073896fe063c497ef60d85 (diff) | |
| download | public-inbox-46cbc5a7a4ba917bd7154be3b6e6898420ff85d3.tar.gz | |
This prevents `<img src=' tags from being used to deep-link image attachments from HTML outside of the current host and reduces potential for abuse. Some browsers (e.g. Firefox) favor content detection and will display images irrespective of the Content-Type header being "application/octet-stream", and "Content-Disposition: attachment" doesn't stop them, either. Tested with dillo and Firefox. Reported-by: Leah Neukirchen <leah@vuxu.org>
Diffstat (limited to 'lib/PublicInbox/NNTP.pm')
0 files changed, 0 insertions, 0 deletions