1101340 - Private Browsing mode renders pages differently (malicious security backdoor?)

Status: RESOLVED WONTFIX

(Firefox :: Private Browsing, defect)

Description

[Kristian Erik Hermansen]

Attachment: Screenshot from 2014-11-18 20:28:43.png

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36

Steps to reproduce:

Install Firefox v33 fresh on Ubuntu 14.10 (amd64) from the default repositories.

$ sudo apt-get install firefox

Open Firefox. Browse to acid3.acidtests.org and notice that the test passes with 100% and NO warning about ~you should not see this~ in the upper left corner. Image should match the reference image correctly.

Now, to confirm the bug, open a New Private Windows and perform the EXACT SAME TEST. Browse to acid3.acidtests.org. You will notice Firefox is rendering the page differently. No additional extensions / add-ons are installed, so that is NOT the cause. I even disabled the default Ubuntu addons, reset firefox, and used Safe Mode, all producing the same results. I am most notably concerned because Tor Browser Bundle relies on Firefox and this bug may propagate there via this issue.


Actual results:

The acid3 test failed in Private Browsing mode. Why? Is this some type of accidental flaw or an indicator used by malicious authorities to track Private Browsing mode discretely through a remote oracle?


Expected results:

The acid3 test SHOULD have passed in both modes, but did not.

Comment 1

[YF (Yang)]

i see it on fx34 win8.1.

Comment 2

[Josh Matthews [:jdm]]

This is expected. The test that fails visually (by showing the red text) is an <a> element pointing at the current page. In a non-private session, the :visited style applies to this which hides it. In a private session, however, we don't store any visited history, so the :visited style does not apply to the link.