diff options
author | Eric Wong <e@80x24.org> | 2020-11-23 14:15:35 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2020-12-26 19:42:16 +0000 |
commit | c39ed01a3a4c6c4634642eb875a16538aceacfc3 (patch) | |
tree | 2ad2c768a60634bc1bc5df7f9e5c3e137ddb4920 /t | |
parent | 0366c73f20b436d4d5307a56c2b6ac93b115f23f (diff) | |
download | public-inbox-c39ed01a3a4c6c4634642eb875a16538aceacfc3.tar.gz |
This prevents `<img src=' tags from being used to deep-link image attachments from HTML outside of the current host and reduces potential for abuse. Some browsers (e.g. Firefox) favor content detection and will display images irrespective of the Content-Type header being "application/octet-stream", and "Content-Disposition: attachment" doesn't stop them, either. Tested with dillo and Firefox. Reported-by: Leah Neukirchen <leah@vuxu.org> (cherry picked from commit 46cbc5a7a4ba917bd7154be3b6e6898420ff85d3)
Diffstat (limited to 't')
0 files changed, 0 insertions, 0 deletions