English 中文(简体)
Are cross-domain favicons a security risk?
原标题:

I have a site of user-submitted news articles, and an idea I had for a feature was to grab the favicon on the target site to display along with the link.

The methodology for grabbing the favicon would be checking for the favicon.ico file on the target server. Would displaying that icon as an image open any hole? Could there be some sort of malicious favicon? Would converting the image server-side to a different file format negate risk?

最佳回答

There was a vulnerability in Window s JPEG parser a few years back. It s possible that vulnerabilities could be discovered in other formats in the future, but I think that you are pretty safe to display it as-is, and be vigilant in applying patches if a threat is publicized.

However, to protect the privacy of your users, you should cache the favicon at your server, and let users browsers fetch it from there. On the other hand, some sites might feel you ve violated their intellectual property by displaying their favicon on your site. Again, I probably wouldn t worry about it too much until they ask you to stop.

问题回答

Privacy would be my main concern really as favicons are sometimes used for tracking who bookmarks a page. At the very least it would screw their data as they d think more people are bookmarking them than really are.

When browsers use them the recommended behaviour which I think is adopted by most now, is to only fetch the favicon when you visit the site and then cache in the browser. I would do the same server side by fetching the icon when a user submits the article and cache it (and at the same time you can take the opportunity to verify the link is valid, extract a summary, etc).

There is always some risk in including content over which you have no control.

For example, if the image renderer in browser x was to suffer from a buffer overflow vulnerability, then the owner of the site that hosts the source image could swap out the original icon for a malicious one. Your users could then be infected from your site without you knowing.

As an addittion to the other answers, you should know that many (most?) sites these days don t have a file favicon.ico in their web root, but a tag like this in the HTML head:

<link rel="shortcut icon" href="http://www.example.com/images/icon.png">

Where the icon can be in other formats than .ico.





相关问题
Signed executables under Linux

For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...

MALICIOUS_CODE EI_EXPOSE_REP Medium

I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...

XSS on jsbin.com

Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...

Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

Why running a service as Local System is bad on windows?

I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...

Brute-force/DoS prevention in PHP [closed]

I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...

热门标签