Closed
Bug 570295
Opened 14 years ago
Closed 14 years ago
Unexpected search submission of private data when middle-clicking a link
Categories
(Firefox :: Shell Integration, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: yetanothergeek, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.5pre) Gecko/20100602 Namoroka/3.6.5pre Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.5pre) Gecko/20100602 Namoroka/3.6.5pre Usually, when I middle-click on a link, Firefox opens the link in a new tab. However, with certain javascript links, instead of opening the link in a new tab, Firefox sends whatever personal data I might have on my clipboard (X-selection) directly to Google's ever-increasing database of information about me. And since the data is sent as plain-text by default, it could also easily be sniffed by some third party. This can also happen when a user accidentally has the mouse slightly off target even when trying to click a plain HTML link. I believe most users have an expectation that clipboard data is private, and that a trusted application would not unexpectedly expose it to the world just because of a misplaced mouse click. Reproducible: Always Steps to Reproduce: 1. Select some text in Firefox or any another application. 2. Middle-click somewhere on a web page, other than a link or textarea. 3. Middle clicking certain javascript-generated links can also produce the same behavior. Actual Results: If the text happens to be a valid URL, the browser will load that page. Otherwise the text contained in the X-selection is submitted to the configured search engine, possibly as plain text. Expected Results: I would expect nothing at all to happen, since the click was not on a "hyper" page element. (The same thing that would happen if you left-clicked on the same spot.) For the case of the javascript links, I would expect the link to open in a new tab, or not at all.
Comment 1•14 years ago
|
||
This is an intentional feature (enabled on Linux only) that is controlled by the hidden "middlemouse.contentLoadURL" pref. You can disable it by setting that pref to false using about:config.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•14 years ago
|
||
Thanks, Gavin - The "middlemouse.contentLoadURL" does exactly what I wanted. Although I still think this "feature" should be disabled by default, particularly since there is no clear way to predict what will happen if the user middle-clicks on a link, it depends on how the link is implemented. I also think the name of the setting is a bit of a misnomer - maybe it should be "middlemouse.sendClipboardToSearchEngine"
Comment 3•14 years ago
|
||
(In reply to comment #2) > Although I still think this "feature" should be disabled by default, > particularly since there is no clear way to predict what will happen > if the user middle-clicks on a link, it depends on how the link is > implemented. This sounds like a bug that should be filed separately. > I also think the name of the setting is a bit of a misnomer - > maybe it should be "middlemouse.sendClipboardToSearchEngine" Well, we only send it to the search engine if it isn't a valid URL...
Reporter | ||
Comment 4•14 years ago
|
||
(In reply to comment #3) > This sounds like a bug that should be filed separately. I believe this bug report already addresses those concerns. > Well, we only send it to the search engine if it isn't a valid URL... Which is probably true of most people's clipboard 99% of the time. Even if the selection does contain a valid URL, it's still up to the user to try and guess what will happen when middle-clicking on a link.
You need to log in
before you can comment on or make changes to this bug.
Description
•