[Project_owners] Is this a remote web-bug in a Thunderbird extension hosted on mozdev?

Patrick Brunschwig patrick.brunschwig at gmx.net
Tue Jan 16 04:48:09 PST 2007


Philip Chee wrote:
> DANGER WILL ROBINSON !
> <http://www.mozdev.org/source/browse/senderface/src/chrome/content/messageViewOverlay.js.diff?r1=1.3&r2=1.4>
> 
> +  var col = document.createElement("treecol");
> +  col.setAttribute("id","myCol");
> +  col.setAttribute("editable","true");
> +  col.setAttribute("label","Face");
> +  col.setAttribute("src",
> "http://taz.vv.sebank.se/cgi-bin/pts3/pow/img/nav_arrow_right.gif");
> 
> This wasn't there in the previous version; and it isn't in the code of
> the extension this was based on (messagefaces).
> 
> There does not seem to be any good reason to load remote content here. I
> mean the other extension, messagefaces, does optionally allow you to use
> remote content for your *faces* but it's a pref that is off by default;
> and it certainly doesn't load remote content for its UI.  What does the
> mozdev T&C say about this sort of behaviour?
> 
> Having said that, I can't imagine why on earth a Swedish bank would want
> to track Thunderbird users.  Am I just being unnecessarily paranoid, or
> are the Gnomes of Zurich  really out to get me?

I think the Gnomes of Zurich get you -- Zurich in in Switzerland, not in
Sweden :-)

Seriously, I don't think that such code is trustworthy and should be
removed. I hope this is just an error and the author actually wanted do
reuse the arrow from that bank (which I don't consider legal either).

-Patrick



More information about the Project_owners mailing list