Slashdot Mirror
Privacy Leak in Mozilla and Mozilla-Based Browsers
Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon.
The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."
...is that the bug has apparently been a known one for months, and still hasn't been repaired.
I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.
People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:
n lo ad", "noAccess");
:)
user_pref("capability.policy.default.Window.onu
You won't miss those ununload events anyway
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I very highly doubt that any site that I visit will be exploiting this bug. Who would waste the time to do this when only about 1% of their visitors will be susceptible to the user tracking. Yeah, I am concered about privacy, but is this really news? Thanks /. for keeping me informed.
I do everything in Mozilla in tabs. I open new sites in tabs, I'll even load other pages in tabs (middle click is your friend). As a result, they can't spy on me, because I don't go anywhere in that tab once I get there. If (and that might be a pretty big if) that is how you do your browsing, this bug isn't a big deal.
Bryan
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
Doing illegal things isn't the only way this could be a problem. For example, let's say I use the
Google Browser buttons after reading your web page to execute a search. I may not want you to know that after reading your web page I executed a search for "anonymous STD testing Chicago."
It's not "nasty" per se, but I sure don't need to broadcast that to the world.
At least for me. I tried the windows enigmail on 1.0a, 1.1a, and now 1.2a, and none of them work. GnuPG is installed in c:/gnupg where it belongs... I thought this shit was supposed to be seamless.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
.. how many people are saying "no big deal". If the article stated:
/. article and because I'm OS/Software egnostic, I tried Mozilla 1.0 which was a horrible product. I could repeatedly lock up the browser simply by going into the preferences. Maybe it's been fixed 1.0.1, but I'm not willing to waste my time, especially since IE runs just fine.
/. editors have taken.
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
Because of a
I have excellent Karma, so if you can't handle the truth, mod me down, I don't give a shit, I'm just sick of the "hippicratical oath"
Live web cams
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Of course, if you really wanted to do that then in most cases you'd just set up a bounce script on your server, much like freshmeat does, so that it would work on anyone.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Is that as breeches go it is a fairly minor one with a trivial work around, yet it remained confidential in bugzilla.
If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The YOU online updater in Yast has been set up to automatically download and install the patch for a coupla months now. Of course, it only applies to the default 0.98 Mozilla version included with the distro, but for those who haven't upgraded, it's there.
THE GOOD HUMOR MAN CAN ONLY BE PUSHED SO FAR
Bart Simpson on chalkboard in episode 2F18
Yea. So should Referrer be removed from existence.
I respectfully disagree. Without the Referer: header, how is a developer supposed to know whether or not somebody else is leeching his bandwidth by linking directly to an image or to a large zip file, so as not to run into problems with metered bandwidth?
Will I retire or break 10K?
Did your wife buy that excuse when you tried it on her?
Well, this just proves my point. Javascript should be disabled. (check my older posts, it's there somewhere).
Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.
It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.
So, check it out, and take back full control of your browser.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
[If the artible stated:]
/. said, "It looks like a normal sales memo-- no big deal" when the Register was using it as evidence of the Vileness of Microsoft(tm).
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
I am not so sure.
When Brian Valentine's email was leaked to the Register, I was amazed how many people on
In general I think slashdot is a bit more diverse than you think.
LedgerSMB: Open source Accounting/ERP
The last few builds have introduced more bugs than ever. It seems to me that spangly new features are being introduced at the expense of the browser's stability and performance.
For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.
Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.
I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...
</rant>
Code, Hardware, stuff like that.
The latest reason to switch to Konqueror.
(Why don't < and > work when I select "Plain old Text"?)
1. Use the Preview button to avoid submitting comments with mistakes.
2. According to this FAQ page, Plain Old Text only converts newlines to <br>. You're looking for Extrans, which also escapes &, <, and >.
Will I retire or break 10K?
If you think that all that matters is whether the /. community things something is secure or not, then you are looking in the wrong place.
In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).
If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.
In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.
LedgerSMB: Open source Accounting/ERP
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Grandparent was talking about the CGI scripts used to track users who click an outward link on a web site. (Some Slashdot users abuse those scripts to create a link that appears to go to Yahoo! but really goes to Goatse.cx.) However, this bug in Mozilla gives a site's scripts access to a clicked bookmark or to a URL entered in the location bar.
Will I retire or break 10K?
This same post under an article that says "IE has a security leak" would be modded to -1. It IS a big deal. Especially, since it STILL hasn't been fixed. The responses would say, "This wouldn't happen under Open Source". Somebody would fix it." Well, it IS Open Source, and it still hasn't been fixed.
The demonstration doesn't work for me.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2a) Gecko/20020910
Maybe it's something about the way I'm using tabbed browsing, or
my cache settings (once per session), but I can't get the demo
to work at all. It always gives the URL of the demo as referer.
Yes, I have cookies enabled (though I limit their max lifespan).
Weird.
Cut that out, or I will ship you to Norilsk in a box.
Well, that's why you put things on the web (a public forum)... For other people to point their browsers at.
But when other people link directly to non-HTML files, your advertisers don't pay you. That's why GameFAQs.com allows linking only to HTML pages.
I happen to run junkbuster - you get no stinking Referer from me.
Many popular download sites (fileplanet, gamespy, gbadev.org, etc.) happen to run a leech script - you get no stinking cool apps from them.
Will I retire or break 10K?
For this demonstration, the image loaded is really a script that sets a cookie with the request referer.
I just said "no" to the cookie dialog and that appears to have broken the example.
If you're going to raise a stink about your browser's security, why are you accepting any and all cookies?
I looked at my settings, and was amused to find that I had disabled javascript's ability to create/mess with cookies. I'm happy the Mozilla team partioned the javascript functionality like this, because (it appears anyway) that until a bug fix is available, you only have to disable this one aspect of javascript.
user_pref("capability.policy.default.Window.onunlo ad", "noAccess");
" , true);, true);
while you are at it, throw in these to stop pop-ups:
user_pref("dom.disable_open_during_load
user_pref("dom.disable_open_during_close"
If you care to follow that link...
If you use Chimera in OS X, browse to your:
/Users/*your username*/Library/Application Support/Chimera/Profiles/default/*salted name*.slt/ directory and edit the prefs.js file with vi, or BBEdit (which is the default editor on mine).o ad","noAccess");
Add the line:
user_pref("capability.policy.default.Window.onunl
To the bottom on the file,save your changes and restart your browser. Careful of the space slashcode likes to put in there! Should be no spaces in the line you past into the file.
But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.
Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.
Honestly, this is a _NEWS_ site, not a list of programs you're supposed to use. So, there's some _good_ stuff out there about Mozilla, there's also some bad stuff.
Just be thankful it's open-source, because that means that there's a couple million people who can help fix it.
Karma: Non-Heinous
I don't know about any of the rest of you, but I use galeon, and I tried a link, a bookmark and typing my own url. Each time returning to the page that suposedly demonstrates this exposure I got url=unknown.
Conversely, when we use Microsoft products, only the imminently trustworthy folks at Microsoft know what exploits they can use against us.
The flag just makes more sense than the constitution. - Judas Gutenberg
First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.
The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
Would you expect any different?
It's matter of micro-seconds and request timing.
Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.
Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!
Here is an easy fix,
...
...
1. In Mozilla goto
'Edit | Preferences | Advanced | Script & Plugins'
2. Uncheck the following checkboxes
'Ceate or change cookies' and 'Read Cookies'
After changing this goto the demo page again to verify! The demo will not work anymore.
it just needs to know whether the client is asking for .html or .htm .... right?
It needs to know if the request for a .png or a .zip came from within the site or from outside. That's only possible with HTTP's Referer: header. However, the Referer: header could be improved: reveal only the referring hostname, not the referring page.
Will I retire or break 10K?
We will not tolerate ourselves to look stupid while accusing other companies of leaving security holes for months, and then doing it ourselves. Do it again, and we will slashdot you again. And yes, we will defeat your referrer. Thank you, have a nice day. :)
Berto
On XP, your user.js file goes in the following directory:
n lo ad", "noAccess");
C:\Documents and Settings\\Application Data\Mozilla\Profiles\default\.slt\
(You will need to enable "Show Hidden File Types" in order to view the Application Data folder)
Just open up Notepad (or whatever) and created a new file, naming it user.js. In order to fix the privacy bug, all you need is the following line:
user_pref("capability.policy.default.Window.onu
Hope that helps!
...(like the subject says)...
Comment removed based on user account deletion
I do not see how one is an idiot for maintaining operability with old technology. The wheel works fine for me, do you think the new Octagon wheel will be an improvement?
Saskboy's blog is good. 9 out of 10 dentists agree.
How in the hell do you go from funny to offtopic, when the post is clearly related to the one that is funny?
Funny trumps off-topic. A post that's both funny and off-topic will be moderated as funny. A post that's merely off-topic-- without being funny-- will be moderated off-topic.
This should be obvious. Perhaps your trouble is that you're an idiot?
Any developer who puts the username and password in a URL should be shot. And any user who sees their password in the URL in plainsight and doesn't complain, or stop using the services, shouldn't be allowed near a computer to begin with.
See parent comment aboot Slashcode.
Heh. This post reminds me of the old Far Side cartoon. A caveman is trying to sell another caveman a car. In the background you see lots of Fred Flintstone-style caveman cars, each with square wheels. The car in the foreground has triangular wheels. The salesman is saying, "This new, improved model. Has one less bump."
Yeah, I'm off-topic. I'm way the fuck off-topic. I'm so off-topic, I'm not even going to mention the topic (although I could, just to stay topical). Mod me down if you want. I've got karma to burn, and I'm feeling grouchy and self-destructive.
I'd define the terms thus:
Privacy leak: lets someone else see what I'm doing or where I'm going. Does not let them see into my system.
Security exploit: lets someone else see the contents of my HD.
Severe security exploit: lets someone else *manipulate* the contents of my HD, pilfer my credit card number, or something else on that order.
~REZ~ #43301. Who'd fake being me anyway?
Conclusive proof! Making a disparaging comment about Mozilla-- or Linux, or Gnome, or KDE, or any of that shit-- is, prima facie, enough to get moderated down on Slashdot. Somebody threw this AC a downmod just because he said that one option-- and possibly the best one-- was not to use Mozilla.
I will mail one crisp new American dollar, postage paid, to the first person who moderates this comment down. Send your claim to foobar104@yahoo.com.
It isn't "Open Source's" fault. Slashdot is to blame. They are just extremely biased toward open source.
Slashdot really sucks nowadays. There are better alternatives. Check out
Quit Slashdot Movement.
Don't feel bad about being OT. It made me laugh.
In fact I'll follow in your fine tradition of making people laugh, and not mention how this fits in to the topic either.
Saskboy's blog is good. 9 out of 10 dentists agree.
Too bad I have to quit moz to get the prefs in. Isn't there a JS
which can patch the hole without having to quit? Sucks.
Nothing gets my goat more than having crappy software shoved down my throat with a "and you will like it" to wash it down.
I'm tons more willing to cut some slack to a free and open source project for a minor issue than to let off some corporation responsible for riddling my machine with security problems I can't uninstall-- and routinely refuses to fix ina timely manner.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
The poster asks:
> But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
And it is currently rated as "Score:5, Insightful".
I fear that Slashdot's moderation facility is being used by Microsoft as another FUD tool. While some posters try to moderate honestly, Microsoft astroturfers moderate each others' posts up, thus increasing their karma, and giving themselves more power to moderate.
There is no objective basis by which the above post could be considered "insightful".
In fact, the above post is completely stupid.
The post suggests there is something wrong when some IE vulnerabilities have been rated "Severe", while this Mozilla vulnerability is just rated as a "Privacy Leak".
Let's consider that.
Should this Mozilla problem be considered as "severe"? Hardly. As others have pointed out, providing the URL of the site you are going to is not that different from what all browsers have always done when they provide the URL of the site you came from. In fact, the problem is so minor that I am not even going to bother installing the fix until the next browser release comes out. When referring to this problem, the words "Privacy Leak" are, if anything, too strong.
On the other hand, let's consider some of the _19_ currently unpatched security holes in IE.
Here are some samples:
> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer
> Java XMLDSO base tag
> Description: Arbitrary local file reading.
> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.
> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach
> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.
Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Should any of those be considered "severe"? You betcha!
In fact, of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.
So clearly, the original poster is an idiot. Objectively, his post should be rated "Score:-1, Troll".
I would say that the posters who moderated his post up are even bigger idiots, but I don't believe that to be the case. Instead, I figure they're probably professional liars, being paid by Microsoft.
I tried the test and I think the problem is basically caused by the HTTP referrer field (as another post mentioned below). This isn't exactly a new exploit (from my understanding) but a function of the the HTT-Protocol that not many people seem to know about.
If you've got a windows machine machine you can get the Agnitum Outpost firewall. Not only is it a good firewall (Zonealarm screwed up my machine) but it can block ads , content (based on what sites you tell it to block) and can block referrers. You can also write plugins for the firewall to do other functions. (PS I don't work for these people - i just use and like the firewall)
I find it unconscionable that such a gaping hole has been allowed to remain over a month... shame on the Mozilla team :(
Also, keep in mind that there are lots of people fighting for just causes (various freedoms and rights) that are opposed by the evil ruling powers in their countries (China, Taiwan, Tibet, Zimbabwe, etc.). The Internet can be a powerful tool for garnering outside support for revolution. The most famous example, I think, is the Free Tibet Campaign.
Granted, even without the bug they could track this particular browsing behavior by using other means. This bug really isn't a big deal. I'm just taking you to task that only "bad" people should be concerned about privacy. In the U.S., I generally agree with you. But if someone's ideas, which may be considered "legitimate and vanilla" to us, are frowned on by his corrupt government, he can possibly look forward to having a noose around the neck or a bullet in the head (or worse). And there's usually no trial beforehand, except maybe a kangaroo court). When a totalitarian government wants to end a dispute, it always prefers the gun over the gavel.
You know, it really bothers me when a site designer can't be bothered to set a background color for the page, and just assumes the visitor's default window background is white.
People who do that need to be smacked around a bit.
People will pass up steak once a week, for crap every day.
You managed to discover the obvious.
People will pass up steak once a week, for crap every day.
many popular leech scripts allow you to set the referer for when you want to leech those cool apps.
If it wasn't for referer the revenue streams of many Internet companies would disappear. And not just annoying stuff like ads and pop-ups.
Knowledge of traffic patterns and their journey is an important part of knowing how to promote your site. You can work with your cross linked sites to best position those links. For us the referer field is just as important as our hit counts, if not more so.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Not just the refering host.
:]
I have, and never will have, any intention of mapping search terms to users but which search terms drive traffic to our site is a vital piece of information for us.
On a serious site search engine positioning is a daily job. Spending $50 on some shareware search engine submission program and running it they day you finish your web site just isn't enough.
The data we get from our refering page information is what helps us keep a top ten google psotion for our chosen key words.
I would guess that 90% of web design houses know next to nothing about web positioning. [which is great news for us
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Opera lets you turn off the referrer entirely. I always use that, for privacy reasons. Besides, it lets me use the Bugzilla links that people say are designed to be unaccessible from Slashdot :-).
What good is the referrer supposed to do, anyway? I always found it disturbing to be able to see in my logs which IMAP folders people use with their webmail.
-- In the U.S., I generally agree with you.
Last time I checked, the countries you consider as suffering from "evil rulings" (China, Taiwan, Tibet et al.) didn't have the DMCA.
Karma cannot be described by words alone.
Some users need to use NTLM Authorization Proxy Server because their admins don't allow any client except IE.
:
Just add the two last lines at the beginning of client_header_fix function in client.py
def client_header_fix(self):
""
self.logger.log('*** Trying to fix client header...')
# Remove referer
self.client_head_obj.del_param('referer')
In all honesty, I don't think we do. Our app is meant to be fairly modal; i.e., when a daughter window opens, the user is expected to deal with it, then close it, then go back to the main window. So we don't need to keep track of several open windows at once.
Sorry I couldn't help more.
The nice thing is that Mozilla has a workaround, one that basically kills of a whole potential series of exploits.
Another workaround for this bug exists that for some may be less draconian than disabling the onUnload Javascript handler. This *should* have the same effect as using a proxy that strips REFERER headers from your requests:
.js file you want to store it in.
user_pref("network.http.sendRefererHeader", 0);
Placed in your prefs.js (or whichever
Cheers.
It seems there is a huge effort to invade privacy recently, and I wonder what purpose this effort serves?
When you click on a broken link and get an "oops!" page, remember that HTTP_REFERER tells the site where you came from, so that the broken link can be fixed.
It's standard on many of my sites to do this - it's a very good thing IMHO - improving customer experience is good, and we certainly don't CARE who you are!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Gaping even, huge even. At the moment it doesn't really matter. mozilla has such a small % of hte whole thing even if someone did actually try to exploit it they wouldn't get enough information to really use it.
Ah who the hell cares.
Good grief moderators --- too late now, but this was meant to be FUNNY --- I guess I have to make this more obvious because everybody wants to see TROLL.
:-)
Give me some love.
Guess what? I got a fever! And the only prescription.. is more cowbell!
here's the path for Mac OS X.
$HOME/Library/Mozilla/Profiles/default/.slt
--
What is pirate software? Software for inventory of stolen treasure?
Well, Privoxy looks like it'd be a lot of work to configure. On the other hand, it's got good pretty good docs, and working with it will probably teach you a lot about how http works in the real world. Which is actually the main reason I just downloaded it.
Hover your mouse over links such as those at fark.com. You'll notice they run them all through a GO script to track where you go, then forward you there. It's almost invisible, it is invisible to new users. If a webadmin wants to track this, this is the best way - not to rely on a transient browser anomaly. "Anomaly" is a better term for this.
The above could be obfuscated further by altering the status bar text to the "destination" link rather than the actual, tracker-link.
I do not consider this a security flaw since web admins have the ability to track where you're going WITHOUT this anomaly using server-side.
There are several other ways: Remember that the link is on the page that they control. An OnClick event that runs a function that talks to a server CGI to log which link you clicked, your IP, date time, is easily done.
Some might think the resources used for such an implementation are more intensive: They need to run you through a CGI. But a CGI needs to read your cookie, and also relies on you coming back (what if you don't? The data is lost.) Anyone exploiting this isn't thinking through their implementation, and their solution will not work for most browsers, and will soon quit working altogether.
Another argument: The difference with server side tracking is that, when you return, they don't know "who" clicked "which" link. Also false. I can cookie you with a unique identifier, and log your linkhit against that cookie ID, and when you return, tell you which link you clicked.
Let's summarize: If this bug is fixed, but you leave cookies, status-bar-text-changing, and javascript on, I can do the same thing. If anyone doesn't believe me, you don't know much about scripting and I am willing to make a page proving this - you're welcome to come and test it with your "patched" Mozilla browser.
So this is a security threat, how? Creating the user.js file is as simple as turning off cookies, or editing the various other script settings to combat the deceptive tactics used by webadmins to track you.
If I was on the BugZilla team I'd be demoting this defect to "anomaly, minor" or whatever lowest possible rating it has.
Erik.LA
# Erik
Sheesh.
This isn't a bug. If you have Javascript enabled, you should expect to have little to no privacy anyway. (Just as you should expect popups, popunders, porn-adverts, memory leaks, and system crashes.)
I mean, what's the recommended solution?
That's right. Do what the security-minded folks have been saying for years. Disable Javascript. Don't use it. Don't visit sites that require it.And if you don't, well, don't whine about it.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
You need a broader perspective, my friend.
If the U.S. was like said countries and you were a U.S. citizen, you might be receiving a flogging at this very moment for your criticism of your government. That is assuming that you are allowed to access /. in the first place.
So why should I care if a website knows I leave it and go to SlashDot. Doesn't everybody?
Be that as it may, there are times when I need to allow popups in order to get full use out of a site. What's needed is a simple popup policy engine, something like the cookies privacy engine in IE. In particular, I'd like to impose a global limit on popup frequency, so a site can't force me to accept all their crap just to get single popup window that I want to see. The simplistic "no popups" option in Mozilla is not useful for most of us.