myrdd
commented
8 years ago I've been considering this, but I'm not fully sure how to handle such problems in general, i.e., when or when not to whitelist. A nice solution would be to only allow those resources when they are actually needed, that is, when the tab really shows an image only.
As far as I know, fingerprinting is always possible, especially with JavaScript enabled. Depending on your browser settings, you can make fingerprinting just harder. For best privacy, use the Tor Browser with highest security/privacy settings.
However, my intention of blocking internal resources is to prevent this very easy detection of add-ons. Regarding this particular issue, the two CSS files come from the browser itself, so should be okay to whitelist IMHO.
I'm aware of the URI Resource Leak issue, but how big impact on privacy reduction (fingerprinting) would be if RP allowed access to:
Both CSS-es are for built-in image viewer.
Because RP's policies does not allow using paths, so allowing globally resource://gre is not an option.