Bug#795576: iceweasel: When using default settings, user will be subscribed to services only by hovering over links
Josh Triplett
josh at joshtriplett.org
Wed Sep 2 01:51:43 UTC 2015
On Wed, Sep 02, 2015 at 09:53:48AM +0900, Mike Hommey wrote:
> On Tue, Sep 01, 2015 at 05:33:03PM -0700, Josh Triplett wrote:
> > retitle 795576 iceweasel: Supports prefetching links on hover
> > severity 795576 wishlist
> > tags 795576 - security
> > thanks
> >
> > (I'll leave it to the maintainer to tag this wontfix.)
> >
> > On Sat, 15 Aug 2015 14:32:58 +0300 Boris Shtrasman <borissh1983+bugs at gmail.com> wrote:
> > > This is related to mozilla bug 814169,
> >
> > Which is closed as wontfix.
> >
> > > Where a user using default settings hover over a link without clicking
> > > on it ( which trigger a link prefetch case). this will leak device
> > > information and provide access to user wallet.
> >
> > No, it won't. It will fetch a URL. Nothing more. That does not
> > "provide access to user wallet". And any site that's using prefetching
> > could just as easily load the page in the background in many other ways.
> >
> > No site should make it possible to trigger unsafe actions via a GET; if
> > they do, then that site has a security hole. Prefetch itself does not
> > change that site security hole.
>
> The mentioned prefetch doesn't even do a GET. It does a DNS request and
> opens a TCP connection (and I think, in the HTTPS case, does the SSL
> handshake).
Even better, then. Thanks for the clarification.
- Josh Triplett
More information about the pkg-mozilla-maintainers
mailing list