Bug#795576: iceweasel: When using default settings, user will be subscribed to services only by hovering over links
Mike Hommey
mh at glandium.org
Wed Sep 2 00:53:48 UTC 2015
On Tue, Sep 01, 2015 at 05:33:03PM -0700, Josh Triplett wrote:
> retitle 795576 iceweasel: Supports prefetching links on hover
> severity 795576 wishlist
> tags 795576 - security
> thanks
>
> (I'll leave it to the maintainer to tag this wontfix.)
>
> On Sat, 15 Aug 2015 14:32:58 +0300 Boris Shtrasman <borissh1983+bugs at gmail.com> wrote:
> > This is related to mozilla bug 814169,
>
> Which is closed as wontfix.
>
> > Where a user using default settings hover over a link without clicking
> > on it ( which trigger a link prefetch case). this will leak device
> > information and provide access to user wallet.
>
> No, it won't. It will fetch a URL. Nothing more. That does not
> "provide access to user wallet". And any site that's using prefetching
> could just as easily load the page in the background in many other ways.
>
> No site should make it possible to trigger unsafe actions via a GET; if
> they do, then that site has a security hole. Prefetch itself does not
> change that site security hole.
The mentioned prefetch doesn't even do a GET. It does a DNS request and
opens a TCP connection (and I think, in the HTTPS case, does the SSL
handshake).
Mike
More information about the pkg-mozilla-maintainers
mailing list