Closed Bug 1472119 Opened 2 years ago Closed 2 years ago
ETag tracking survives profile deletion
No description provided.
1. Remove all existing profiles: rm -rf ~/.mozilla/firefox/* 2. Create new profile using command line: firefox -CreateProfile "profile_name profile_dir" 3. Place the attached user.js in profile_dir This user.js provides additional security and privacy tightening. As part of it: JS and cookies are disabled and the browser always runs in private mode. 4. Run firefox: firefox -P profile_name --no-remote about:blank 5. Visit https://lucb1e.com/rp/cookielesscookies/ 6. Watch "Number of visits" on the page 7. Refresh the page until Number of visits = 5 8. Exit firefox 9. Repeat steps 1-6 What is the expected result? Number of visits = 1 What happens instead of that? Number of visits = 6. This means tracking through ETags is possible even in incognito mode, even after complete deletion of user profile (when supposedly data should have been erased). Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1). This is a door to privacy abuse. Firefox should provide an option to block ETag header and that option should be enabled by default.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 231852
You need to log in before you can comment on or make changes to this bug.