Closed Bug 1472119 Opened 2 years ago Closed 2 years ago

ETag tracking survives profile deletion

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 231852

People

(Reporter: u596779, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

pyllyukko user.js - with additions
1.08 KB, text/plain
Details 
No description provided.
1. Remove all existing profiles:

rm -rf ~/.mozilla/firefox/*

2. Create new profile using command line:

firefox -CreateProfile "profile_name profile_dir"

3. Place the attached user.js in profile_dir

This user.js provides additional security and privacy tightening. As part of it: JS and cookies are disabled and the browser always runs in private mode.

4. Run firefox:

firefox -P profile_name --no-remote about:blank

5. Visit https://lucb1e.com/rp/cookielesscookies/
6. Watch "Number of visits" on the page
7. Refresh the page until Number of visits = 5
8. Exit firefox
9. Repeat steps 1-6

What is the expected result?
Number of visits = 1

What happens instead of that?
Number of visits = 6.

This means tracking through ETags is possible even in incognito mode, even after complete deletion of user profile (when supposedly data should have been erased).

Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1).

This is a door to privacy abuse. Firefox should provide an option to block ETag header and that option should be enabled by default.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 231852
You need to log in before you can comment on or make changes to this bug.