Jump to content

Pixel tracking images in tickets are being loaded


Vikki Cameron
 Share

Recommended Posts

One of our users has reported when dealing with a phishing incident report from a customer in Hornbill, he noticed that the page was making a request to the phishing site, even though he did not click the link and had not opted to download external images. He is quite concerned that a secure/trusted origin containing personal data, is making requests to external, untrusted resources that are referenced in the body of emails from customers, unless you specifically click the 'Download external images' button. Even though the email is loaded from the customer in a sandboxed iFrame, the 'allow-same-origin', 'allow-popups' and 'allow-popups-to-escape-sandbox' attributes are used, so it's not a full sandbox.

Please can you advise/look into this?

Many thanks.

Link to comment
Share on other sites

Hi,

The sandboxed iframe should not allow third party images to be loaded, the allow-same-origin flag only allows content to be loaded from the same domain, i.e. hornbill.com and the allow-popups flags allows URLs to be clicked on that open in a new window.  These should still prevent images from untrusted resources from being loaded.  Can I ask what browser is being used so that we can investigate further?

Thanks

Trevor

Link to comment
Share on other sites

Hi Trevor, Daniel,

Many thanks for your quick response and help with this. Our user who reported this has tested the fix and asked if you can confirm the following:-

Is it intended for the <img> tag to be in the DOM, but just blocked by the Content-Security-Policy? I would expect the <img> tags shouldn’t be added to the DOM until the ‘Load external images’ button is pressed. Please see screen shot from the Chrome dev console. Also does this fix break the ‘Load external images’ functionality? Or does loading external images use a different method where the Content-Security-Policy img-src is not enforced??

Just to confirm the fix has been tested in IE (Citrix) and Chrome (local).chrome.thumb.PNG.b6eb67762c6add1bbc844b13dcbfdc48.PNG

Many thanks

 

Link to comment
Share on other sites

Hi @Vikki Cameron

We use the browser Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) feature in order to prevent loading of various resources which could have security implications, this includes blocking images from 3rd parties but also blocks other potentially malicious content.  It is therefore not necessary to remove the img tag embedded in the email as the image will be blocked by the browser automatically with the security policy set.

The 'Load external images' functionality changes the security policy to allow the external images to be loaded (this change is only temporary and the next time an email is loaded the policy will be set back to disallow external images)

Thanks

Trevor

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...