Comment 81 for bug 294712

(In reply to comment #76)
> I have no idea what you're asking. Presumably, the uri to be used here should
> be the same as the uri that will be used for the "load this image" check, no?
> Anything else won't give the right behavior... If images are turned off
> period, I'm not sure that you can get any sane behavior here with a per-host
> whitelist, can you?

I'm asking, when a data image is passed through to ShouldLoad, what's the url that is passed through? I hope not the data: url as that would make it possible for websites to bypass the url checking at least for REJECT_SERVER, no?
And this works per-host even if images are turned off completely, because the check for the override comes before the check for the pref.

> > They're not ignored at all, in fact each particular REJECT_* value will have
> > a different effect just as if you would make a real policy change.
>
> On reading this again, I agree they are not ignored, but all values other than
> BEHAVIOR_ACCEPT are treated identically, so I don't see how the second part of
> what you say here can be true.

I'll recheck this, it seems like you're right, must of overlooked the possibility of someone wanting to fake REJECT_TYPE.

I'll try to get some more context in my patch, I seem to have a very small default for my mq patches.