On Jul 21, 2004, at 4:56 PM, John Dowling wrote:
I disagree.
Initially, the image used in that popup actually comes from a different server, but that's trivial. What I see as a bigger issue is that blocking the image from the server leaves the user with an empty div block covering the page, and blocking the site serving the div content could essentially render the div 'uncloseable'. Of course, this is more along the lines of browseability, and does not seem to have any very obvious security implications above and beyond what can be served via a page without the annoying <div>.
You have a good point so I went back to take a look. There are 2 factors that ameliorate that issue. The first is that I am unlikely to want to click through on a page that is doing that and even less likely to want my users to do so :) The second is that the "Nuke Anything" Firefox extension was able to remove the <div> with a simple right-click -> remove
Charles Richmond
Implemented Integrated Systems Corporation http://www.iisc.com O/S, I18N, Systems Development, Process and Integration Providers [EMAIL PROTECTED] [EMAIL PROTECTED] YIM:cmriisc http://www.iisc.com/cmr 7B West St., Somerville, Ma. USA 02144 (781) 389 9777
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
