ETag tracking survives profile deletion

RESOLVED DUPLICATE of bug 231852

Status

()

defect
--
major
RESOLVED DUPLICATE of bug 231852
Last year
Last year

People

(Reporter: studio, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

()

Attachments

(1 attachment)

No description provided.
1. Remove all existing profiles:

rm -rf ~/.mozilla/firefox/*

2. Create new profile using command line:

firefox -CreateProfile "profile_name profile_dir"

3. Place the attached user.js in profile_dir

This user.js provides additional security and privacy tightening. As part of it: JS and cookies are disabled and the browser always runs in private mode.

4. Run firefox:

firefox -P profile_name --no-remote about:blank

5. Visit https://lucb1e.com/rp/cookielesscookies/
6. Watch "Number of visits" on the page
7. Refresh the page until Number of visits = 5
8. Exit firefox
9. Repeat steps 1-6

What is the expected result?
Number of visits = 1

What happens instead of that?
Number of visits = 6.

This means tracking through ETags is possible even in incognito mode, even after complete deletion of user profile (when supposedly data should have been erased).

Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1).

This is a door to privacy abuse. Firefox should provide an option to block ETag header and that option should be enabled by default.
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → DUPLICATE
Duplicate of bug: 231852
You need to log in before you can comment on or make changes to this bug.