Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Leak in Mozilla and Mozilla-Based Browsers

Posted by timothy on from the where-are-you-going-where-have-you-been dept.

Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon. The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."

5 of 357 comments (clear)

  1. Easy work-around for now by RPoet · · Score: 5, Informative

    People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:

    user_pref("capability.policy.default.Window.onun lo ad", "noAccess");

    You won't miss those ununload events anyway :)

    --
    "Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
    1. Re:Easy work-around for now by maw · · Score: 4, Informative

      You should have a file called prefs.js somewhere within your $HOME/.mozilla directory. You can set user_prefs there.

      --
      You're a suburbanite.
    2. Re:Easy work-around for now by teslatug · · Score: 4, Informative

      better not to set them in prefs.js ,but in user.js (create new file if not there) as the settings in the prefs.js file might get overwritten

  2. Muwahahaha by evilviper · · Score: 4, Informative

    Well, this just proves my point. Javascript should be disabled. (check my older posts, it's there somewhere).

    Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.

    It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.

    So, check it out, and take back full control of your browser.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  3. Re:HTTP_REFERER by singularity · · Score: 4, Informative

    As with a lot of browser-based things that show up on Slashdot, I feel the need to chime in with a different perspective, from a browser that does a lot of these things correctly.

    iCab, on the Mac, has a setting (and has had it almost since its very first versions) to only allow the Referrer: to be sent only when in the same domain (or even never sent). So Sony.com can trace how I look through their site, but cannot see that I came to Sony's site from a link on slashdot.org

    I could even set it to never send it, as well.

    --
    - (c) 2018 Hank Zimmerman