Security: Cosmetic filters can make background requests using image-set() on Firefox

[hackvertor]

Prerequisites

• I verified that this is not a filter issue (MUST be reported at filter issue tracker)
• This is not a support issue or a question
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
• The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
• I checked the documentation to understand that the issue I report is not a normal behavior

I tried to reproduce the issue when...

• uBO is the only extension
• uBO with default lists/settings
• using a new, unmodified browser profile

Description

It's possible to create background requests using the image-set() CSS function on Firefox. uBlock prevents requests using url() but does not for image-set().

*#$#* { font-family: 'blah'; background:image-set('https://hackvertor.co.uk/images/logo.gif' 1x) }

A specific URL where the issue occurs

https://portswigger-labs.net/

Steps to Reproduce

1. Open Firefox and add the following rule to "My filters":

*#$#* { font-family: 'blah'; background:image-set('https://hackvertor.co.uk/images/logo.gif' 1x) }

2. Visit https://portswigger-labs.net/ notice the background image has been added to everything.

Expected behavior

image-set() should be blocked like url()

Actual behavior

image-set() is not blocked and a background request is made

uBlock Origin version

1.38.7b19

Browser name and version

Firefox 94.0.1

Operating System and version

MacOS 10.15.7

[hackvertor]

@gorhill Double slashes can be bypassed with:

/image-set\(|url\(|\/\/|\\|\/\*/i.test('/\t/')

External resources will be fetched even if slashes are separated by tab

[gorhill]

Related: https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css