Closed Bug 1472119 Opened 7 years ago Closed 7 years ago

ETag tracking survives profile deletion

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 231852

People

(Reporter: u596779, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

pyllyukko user.js - with additions
1.08 KB, text/plain
Details
No description provided.
1. Remove all existing profiles: rm -rf ~/.mozilla/firefox/* 2. Create new profile using command line: firefox -CreateProfile "profile_name profile_dir" 3. Place the attached user.js in profile_dir This user.js provides additional security and privacy tightening. As part of it: JS and cookies are disabled and the browser always runs in private mode. 4. Run firefox: firefox -P profile_name --no-remote about:blank 5. Visit https://lucb1e.com/rp/cookielesscookies/ 6. Watch "Number of visits" on the page 7. Refresh the page until Number of visits = 5 8. Exit firefox 9. Repeat steps 1-6 What is the expected result? Number of visits = 1 What happens instead of that? Number of visits = 6. This means tracking through ETags is possible even in incognito mode, even after complete deletion of user profile (when supposedly data should have been erased). Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1). This is a door to privacy abuse. Firefox should provide an option to block ETag header and that option should be enabled by default.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: