User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160729072959 Steps to reproduce: Per http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ calling FindProxyForUrl in a malicious PAC, which can be delivered via WPAD on a network to which a malicious operator is connected, can be used to exfiltrate full HTTPS URLs that would otherwise be protected by encryption. Following Microsoft's approach with Edge and IE11, Firefox should truncate URLs to the host portion only before passing them to FindProxyForURL, at least in the case of HTTPS.
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Thanks. I've changed the severity away from 'enhancement' as this is a security risk, which I don't think warrants the lowest level of importance. There doesn't seem to be a way for me to flag the issue as security-related other than an option when I reported it, which would have marked this as private, which it isn't at this stage given it has already been reported in the tech press.
To be clear, the security issue is that this exposes data that should be protected by encryption, i.e. the path/query/fragment portions of HTTPS URLs.
I will marked this as necko-next. Gary, can you take a look?
(In reply to Dragana Damjanovic [:dragana] from comment #4) > I will marked this as necko-next. > Gary, can you take a look? Sure, I'll check this later.
I think this is a duplicated bug of bug 1255474, which has security flag.
It's a bit pointless for the active bug on this to be hidden from public view since this is a known issue with Firefox and already publicised. Is it possible to make the other bug visible so people can see what's going on with it?
(In reply to mozilla from comment #7) > It's a bit pointless for the active bug on this to be hidden from public > view since this is a known issue with Firefox and already publicised. Is it > possible to make the other bug visible so people can see what's going on > with it? I believe this is in progress :)
The bugfix was merged here: http://hg.mozilla.org/mozilla-central/log?rev=303393%3Adf6b25262c65