Closed
Bug 431155
Opened 17 years ago
Closed 16 years ago
sessionstore.js should be deleted or bypassed when "clear private data" is used
Categories
(Firefox :: Session Restore, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 366572
People
(Reporter: jonathan, Unassigned)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
I use the clear private data on exit option as I use Firefox primarily to test phishing, spam, and malicious sites for my line of work. In any case, clearing private data gives the indication that no trace is left in the machine's file system upon exit, but the sessionstore.js file located in the user's profile contains the page and tabs last displayed, regardless of whether Firefox exited successfully or not. If private data is cleared on exit, this file should probably be deleted, or bypassed entirely so that it is not written even if Firefox crashes. Otherwise this creates a privacy leak.
Reproducible: Always
Steps to Reproduce:
1.Open Firefox
2.Visit any site
3.Close Firefox, then check sessionstore.js
Actual Results:
The sessionstore.js file will contain information about the site visited, regardless of whether private data is cleared, or whether Firefox exited successfully
Expected Results:
The file should have ideally been deleted or bypassed entirely if 'clear private data on exit' is selected
|
||
Comment 1•17 years ago
|
||
This looks like the opposite of bug 398817, which is WONTFIX for firefox 3, so I think this is already fixed.
|
Reporter | |
Comment 2•17 years ago
|
||
Hmm, browsing history is set to delete on shutdown (along with everything else), and as of this build as well as Firefox 2.0.0.14 for OSX, this problem persists.
|
|
||
Comment 3•17 years ago
|
||
Right, I meant "fixed in Firefox 3". I'm not sure when it was fixed. You can try a Firefox 3 beta if you want to confirm yourself:
http://www.mozilla.com/en-US/firefox/all-beta.html
|
|
Reporter | |
Comment 4•17 years ago
|
||
Aye, this is 3.0-Beta 5 I'm running at the moment. So unless it got fixed very recently, it may have been previously fixed, but now broken.
|
|
||
Comment 5•17 years ago
|
||
Oh, I didn't notice that you reported this against b5, sorry about that. I'm not sure what's up, then.
|
||
Comment 6•17 years ago
|
||
This WORKSFORME on the latest nightly builds (under Windows): sessionstore.js is as good as empty. To make sure this isn't a Mac specific issue:
* Which of the Clear Private Data options do you have checked?
* Could you please upload such a non-cleared sessionstore.js ? (You might want to open it in a plain text editor first to make sure that it doesn't contain anything sensitive!)
Whiteboard: [worksforme?]
|
|
Reporter | |
Comment 7•17 years ago
|
||
I have all options except saved passwords checked.
Just to confirm, I went to my website in Firefox and then quit the browser. My sessionstore.js has:
({windows:[{tabs:[{entries:[{url:"http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official", title:"Mozilla Firefox Start Page", ID:0}, {url:"http://zdziarski.com/", title:"Jonathan Zdziarski's Domain", ID:1, scroll:"0,0"}], index:2}], selected:1, _closedTabs:[], _hosts:{'google.com':true, com:true, 'www.google.com':true, 'zdziarski.com':true}, width:1148, height:1063, screenX:599, screenY:69, sizemode:"normal"}], selectedWindow:1, session:{state:"stopped"}})
|
|
Reporter | |
Comment 8•17 years ago
|
||
It appears that it actually stores a bit of a history in addition to the latest page. For example, if I visit my web page, then microsoft.com, then click 'Home' before exiting, the file documents all three, instead of just the most recent one:
({windows:[{tabs:[{entries:[{url:"http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official", title:"Mozilla Firefox Start Page", ID:0}, {url:"http://zdziarski.com/", title:"Jonathan Zdziarski's Domain", ID:1}, {url:"http://www.microsoft.com/en/us/default.aspx", title:"Microsoft Corporation", ID:2, children:[{url:"wyciwyg://0/http://www.microsoft.com/en/us/default.aspx", ID:3, owner_b64:"NhAra3tiRRqhyKDUVsktxQAAAAAAAAAAwAAAAAAAAEYAAQAAAAAAAd6UctCANBHTk5kAEEug/UAHoizADOUR05MxABBLoP1AAAAAAv////8AAABQAQAAACtodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4vdXMvZGVmYXVsdC5hc3B4AAAAAAAAAAQAAAAHAAAAEQAAAAf/////AAAAB/////8AAAAHAAAAEQAAABgAAAATAAAAGAAAABMAAAAYAAAABwAAAB8AAAAHAAAAJwAAAAQAAAAY/////wAAABj/////AAAAGP////8BAAAAAAAAAAAAAQAA", children:[{url:"http://view.atdmt.com/MRT/iview/mcrssinf0490000020mrt/direct/01?click=", ID:4}]}]}, {url:"http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official", title:"Mozilla Firefox Start Page", ID:5, scroll:"0,0"}], index:4}], selected:1, _closedTabs:[], _hosts:{'google.com':true, com:true, 'www.google.com':true, 'zdziarski.com':true, 'microsoft.com':true, 'www.microsoft.com':true, 'atdmt.com':true, 'view.atdmt.com':true}, width:1148, height:1063, screenX:82, screenY:44, sizemode:"normal"}], selectedWindow:1, session:{state:"stopped"}})
|
|
Reporter | |
Comment 9•17 years ago
|
||
It looks like a temporary workaround is to disable the session store entirely by setting browser.sessionstore.enabled to false. This should probably be set automatically when clear private data is enabled.
|
|
||
Comment 10•17 years ago
|
||
(In reply to comment #9)
> It looks like a temporary workaround is to disable the session store entirely
> by setting browser.sessionstore.enabled to false.
That's the wrong pref. Please disable browser.sessionstore.resume_from_crash instead, or else you won't be able to reopen closed tabs (among others).
BTW: Does this happen on a _clean_ profile as well?
Whiteboard: [worksforme?] → [mac specific?]
|
|
||
Comment 11•17 years ago
|
||
As per bug 398817 comment #30, sessionstore.js can indeed survive Clear Private Data depending on how Firefox is exited. So we'll have to make sure that this is actually handled consistently.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [mac specific?]
Version: unspecified → 3.0 Branch
|
||
Comment 12•17 years ago
|
||
It works for me on trunk. Can you test this bug with the latest trunk ( sessionstore.js ) in safe mode or with a blank profile following these steps:
1. Start Firefox
2. Open options -> Privacy, select "Clear private data on exit" and select all
type of private data.
3. restart firefox (precautionary)
4. open several pages in tabs, and exit Firefox saving session
5. check your sessionstore.js
My test sessionstore.js file contains only this:
({windows:[], selectedWindow:0, session:{state:"stopped"}})
|
|
||
Updated•17 years ago
|
OS: Mac OS X → All
Hardware: Macintosh → All
|
|
||
Comment 13•16 years ago
|
||
I've tracked down the cause of this and will fix it in bug 366572.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•