Bug#795576: iceweasel: When using default settings, user will be subscribed to services only by hovering over links
Josh Triplett
josh at joshtriplett.org
Wed Sep 2 00:33:03 UTC 2015
retitle 795576 iceweasel: Supports prefetching links on hover
severity 795576 wishlist
tags 795576 - security
thanks
(I'll leave it to the maintainer to tag this wontfix.)
On Sat, 15 Aug 2015 14:32:58 +0300 Boris Shtrasman <borissh1983+bugs at gmail.com> wrote:
> This is related to mozilla bug 814169,
Which is closed as wontfix.
> Where a user using default settings hover over a link without clicking
> on it ( which trigger a link prefetch case). this will leak device
> information and provide access to user wallet.
No, it won't. It will fetch a URL. Nothing more. That does not
"provide access to user wallet". And any site that's using prefetching
could just as easily load the page in the background in many other ways.
No site should make it possible to trigger unsafe actions via a GET; if
they do, then that site has a security hole. Prefetch itself does not
change that site security hole.
> I belive that at least network-prefetch-next and
> network.http.speculative-parallel-limit should be disabled by default.
> https://bugzilla.mozilla.org/show_bug.cgi?id=814169 the workarounds
> for that bug is to disable the network-prefetch-next and
> network.http.speculative-parallel-limit
Feel free to do so on your own system. This is not something Debian
should change. And even for systems like Tails or TorBrowser that takes
extra steps to attempt to provide client anonymity, or other mechanisms
provided by custom browsers/extensions, the prefetched requests go
through the same anonymity mechanism and should remain equally
protected, so turning them off seems unlikely to improve security.
- Josh Triplett
More information about the pkg-mozilla-maintainers
mailing list