Vikki Cameron Posted May 31, 2019 Share Posted May 31, 2019 One of our users has reported when dealing with a phishing incident report from a customer in Hornbill, he noticed that the page was making a request to the phishing site, even though he did not click the link and had not opted to download external images. He is quite concerned that a secure/trusted origin containing personal data, is making requests to external, untrusted resources that are referenced in the body of emails from customers, unless you specifically click the 'Download external images' button. Even though the email is loaded from the customer in a sandboxed iFrame, the 'allow-same-origin', 'allow-popups' and 'allow-popups-to-escape-sandbox' attributes are used, so it's not a full sandbox. Please can you advise/look into this? Many thanks. Link to comment Share on other sites More sharing options...
TrevorHarris Posted June 3, 2019 Share Posted June 3, 2019 Hi, The sandboxed iframe should not allow third party images to be loaded, the allow-same-origin flag only allows content to be loaded from the same domain, i.e. hornbill.com and the allow-popups flags allows URLs to be clicked on that open in a new window. These should still prevent images from untrusted resources from being loaded. Can I ask what browser is being used so that we can investigate further? Thanks Trevor Link to comment Share on other sites More sharing options...
Daniel Dekel Posted June 3, 2019 Share Posted June 3, 2019 @Vikki Cameron, we did find the problem. There was a property in the header that was not allowing the iframe to use the sandbox property. We've fixed this now and should be going to live today. Kind regards, Daniel. Link to comment Share on other sites More sharing options...
Vikki Cameron Posted June 3, 2019 Author Share Posted June 3, 2019 Hi Trevor, Daniel, Many thanks for your quick response and help with this. Our user who reported this has tested the fix and asked if you can confirm the following:- Is it intended for the <img> tag to be in the DOM, but just blocked by the Content-Security-Policy? I would expect the <img> tags shouldn’t be added to the DOM until the ‘Load external images’ button is pressed. Please see screen shot from the Chrome dev console. Also does this fix break the ‘Load external images’ functionality? Or does loading external images use a different method where the Content-Security-Policy img-src is not enforced?? Just to confirm the fix has been tested in IE (Citrix) and Chrome (local). Many thanks Link to comment Share on other sites More sharing options...
TrevorHarris Posted June 3, 2019 Share Posted June 3, 2019 Hi @Vikki Cameron We use the browser Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) feature in order to prevent loading of various resources which could have security implications, this includes blocking images from 3rd parties but also blocks other potentially malicious content. It is therefore not necessary to remove the img tag embedded in the email as the image will be blocked by the browser automatically with the security policy set. The 'Load external images' functionality changes the security policy to allow the external images to be loaded (this change is only temporary and the next time an email is loaded the policy will be set back to disallow external images) Thanks Trevor Link to comment Share on other sites More sharing options...
Vikki Cameron Posted June 4, 2019 Author Share Posted June 4, 2019 Hi Trevor Many thanks for your response. I have passed this onto our user who is happy this has answered his query. Thanks again for all your help. Vikki Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now