1301769 - FF: apparently no way to prevent session restore from cmd line

Status: NEW

(Firefox :: Session Restore, enhancement)

Description

[scratch65535]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151216175450

Steps to reproduce:

I accidentally ended up at a toxic site claiming to be deleting my files.  It may only have been scriptkiddies having fun, but I didn't hang about to investigate.  I immediately deadstarted the machine.


Actual results:

When I restarted FF, for my inconvenience it restored the session---naturally including the site that prompted my power-off.  I powered off again, presuming that would clear the restore bit.  It didn't.  After rebooting again, it restored the bad session again.  After I again powered off and rebooted, I used Opera  to check for a command-line switch that would let me restart FF without restoring the damned session.  Apparently there isn't one.  To turn off restoration, one must first allow restoration, if one happens to be caught as I was.  Catch 22.  So I de-installed the app, checked for cleanliness, and re-installed.  I've not done a files inventory yet.


Expected results:

One of three things should be true:  (a) post-crash restore is turned off by default; (b) post-crash restore requires positive user selection every time (a radio button+return, not just return); or (c) a command-line switch is provided, e.g. firefox --restore-session=no.  Me, I'd vote for all three, to handle the case where the user turns restoration on and then gets caught by some pillock who succeeds in turning off the confirmation detent.

The current setup is a major security problem.

Comment 1

[:Gijs (he/him)]

We will start prompting before automatically restoring if you crash twice in succession. This is controlled by a pref ( browser.sessionstore.max_resumed_crashes , the code reading it is in http://searchfox.org/mozilla-central/rev/950e13cca1fda6507dc53c243295044e8eda4493/browser/components/sessionstore/SessionStore.jsm#3834-3865 ). I don't know if/how that would treat machine force-reboots the same, or if that pref is non-default on your machine (it is on my machine, I just find it annoying to be prompted).

This isn't a security bug because the session restore functionality does not enable any additional compromise, and is also not turned on by default. The "evil trap" type of site (cf. bug 432687) is a (somewhat mild) security issue, and any actual compromise of your files by a website would be a much more serious security issue. I'm unhiding the bug so more people can see it and contribute/diagnose.

Comment 2

[Simona Badau, Desktop QA]

I can confirm this issue on the latest Nightly 97.0a1 on Windows 10 x64 - there is no way to prevent the session from restoring if the "Open previous windows and tabs" check is enabled. I got no prompt even if setting the pref browser.sessionstore.max_resumed_crashes=0 when the machine is forced/rebooted. I belive this is a good candidate for an enhancement so I'm setting this to New so that the engineering team could decide if this is something that should be changed or not.