Closed
Bug 1472119
Opened 7 years ago
Closed 7 years ago
ETag tracking survives profile deletion
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 231852
People
(Reporter: u596779, Unassigned)
References
()
Details
Attachments
(1 file)
1.08 KB,
text/plain
|
Details |
No description provided.
1. Remove all existing profiles:
rm -rf ~/.mozilla/firefox/*
2. Create new profile using command line:
firefox -CreateProfile "profile_name profile_dir"
3. Place the attached user.js in profile_dir
This user.js provides additional security and privacy tightening. As part of it: JS and cookies are disabled and the browser always runs in private mode.
4. Run firefox:
firefox -P profile_name --no-remote about:blank
5. Visit https://lucb1e.com/rp/cookielesscookies/
6. Watch "Number of visits" on the page
7. Refresh the page until Number of visits = 5
8. Exit firefox
9. Repeat steps 1-6
What is the expected result?
Number of visits = 1
What happens instead of that?
Number of visits = 6.
This means tracking through ETags is possible even in incognito mode, even after complete deletion of user profile (when supposedly data should have been erased).
Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1).
This is a door to privacy abuse. Firefox should provide an option to block ETag header and that option should be enabled by default.
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•