Disable websites from accessing "about:" pages
Websites can access content on "about:" pages, like picture on "about:logo". How to disable that ?
Chosen solution
The article demonstrates that websites can use the img tag to display to you internal Firefox resources that they already know about (i.e., they know the internal address), and they can use script feature to determine whether the img exists and thereby determine whether you are using Firefox.
(This also works with the CSS background-image, but that probably isn't as useful for harvesting information.)
Of course, Firefox usually announces itself directly, and there are other methods to learn about the browser by testing capabilities, but displaying the logo might be useful in a phishing attack.
I have doubts about whether access to about: pages goes beyond this, but I haven't researched it.
So... is there a way to block access to about: / chrome: / resource: from tags and CSS in ordinary http: / https: web pages? I haven't seen one yet after a little searching, but with a variety of image blocking extensions in the world, perhaps one of them has this feature or could be adapted.
All Replies (12)
Can you give ab example?
Hello,
In order to better assist you with your issue please provide us with a screenshot. If you need help to create a screenshot, please see How do I create a screenshot of my problem?
Once you've done this, attach the saved screenshot file to your forum post by clicking the Browse... button below the Post your reply box. This will help us to visualize the problem.
Thank you!
A website could possibly only access a specific page if you have opened it previously in the same tab, so this website would be part of the history of the current tab. I don't know why you mention the about:logo page as there is normally no need to open this page at all.
This small code only shows the picture in Firefox. How to block websites from accessing the resources.
img src="about:logo"/
code disappears if I write it
Taking a Screen shot; Windows > Start > search box > Snip. Select Snipping Tool. Use a compressed image type like PNG or JPG to save the screenshot. Save the picture(s) to your desktop. Now look at the Reply box below. Press the button under it that says Browse. Now select the screen-shot(s) from the desktop and load them one at a time.
here is the screenshot with problematic resource call
Untitled.png
Chosen Solution
The article demonstrates that websites can use the img tag to display to you internal Firefox resources that they already know about (i.e., they know the internal address), and they can use script feature to determine whether the img exists and thereby determine whether you are using Firefox.
(This also works with the CSS background-image, but that probably isn't as useful for harvesting information.)
Of course, Firefox usually announces itself directly, and there are other methods to learn about the browser by testing capabilities, but displaying the logo might be useful in a phishing attack.
I have doubts about whether access to about: pages goes beyond this, but I haven't researched it.
So... is there a way to block access to about: / chrome: / resource: from tags and CSS in ordinary http: / https: web pages? I haven't seen one yet after a little searching, but with a variety of image blocking extensions in the world, perhaps one of them has this feature or could be adapted.
As a kind of proof of concept, you could check out this userscript: https://greasyfork.org/en/scripts/20325-block-internal-images-hardcoded-in-img-tag (note: requires the Greasemonkey extension to be installed and enabled first)
The demo page in the screenshot is: https://jeffersonscher.com/res/aboutimg.html
