Pixel tracking images in tickets are being loaded

[Vikki Cameron]

One of our users has reported when dealing with a phishing incident report from a customer in Hornbill, he noticed that the page was making a request to the phishing site, even though he did not click the link and had not opted to download external images. He is quite concerned that a secure/trusted origin containing personal data, is making requests to external, untrusted resources that are referenced in the body of emails from customers, unless you specifically click the 'Download external images' button. Even though the email is loaded from the customer in a sandboxed iFrame, the 'allow-same-origin', 'allow-popups' and 'allow-popups-to-escape-sandbox' attributes are used, so it's not a full sandbox.

Please can you advise/look into this?

Many thanks.

[TrevorHarris]

Hi,

The sandboxed iframe should not allow third party images to be loaded, the allow-same-origin flag only allows content to be loaded from the same domain, i.e. hornbill.com and the allow-popups flags allows URLs to be clicked on that open in a new window.  These should still prevent images from untrusted resources from being loaded.  Can I ask what browser is being used so that we can investigate further?

Thanks

Trevor

[Daniel Dekel]

@Vikki Cameron, we did find the problem. There was a property in the header that was not allowing the iframe to use the sandbox property.

We've fixed this now and should be going to live today.

Kind regards,

Daniel.

[Vikki Cameron]

Hi Trevor, Daniel,

Many thanks for your quick response and help with this. Our user who reported this has tested the fix and asked if you can confirm the following:-

Is it intended for the <img> tag to be in the DOM, but just blocked by the Content-Security-Policy? I would expect the <img> tags shouldn’t be added to the DOM until the ‘Load external images’ button is pressed. Please see screen shot from the Chrome dev console. Also does this fix break the ‘Load external images’ functionality? Or does loading external images use a different method where the Content-Security-Policy img-src is not enforced??

Just to confirm the fix has been tested in IE (Citrix) and Chrome (local).

Many thanks

 

[TrevorHarris]

Hi @Vikki Cameron

We use the browser Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) feature in order to prevent loading of various resources which could have security implications, this includes blocking images from 3rd parties but also blocks other potentially malicious content.  It is therefore not necessary to remove the img tag embedded in the email as the image will be blocked by the browser automatically with the security policy set.

The 'Load external images' functionality changes the security policy to allow the external images to be loaded (this change is only temporary and the next time an email is loaded the policy will be set back to disallow external images)

Thanks

Trevor

[Vikki Cameron]

Hi Trevor

Many thanks for your response. I have passed this onto our user who is happy this has answered his query.

Thanks again for all your help.

Vikki