435416 - Privacy evaluation: places.sql leaves traces of visited URLs

Status: RESOLVED INCOMPLETE

(Core :: SQLite and Embedded Database Bindings, defect)

Description

[Andi Kleen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13
Build Identifier: Firefox 3 beta 5 (as shipped with opensuse 11.0b3)

I try to visit my browser to avoid leaving traces of visited URLs for privacy 
reasons.

For that I set the "clear private data" tabs to clear everything on exit and
exit regularly using the close buttong (not killing/crashing)
Also disable the session store in about:config (really should be part of 
the clear privacy tool btw)

After exiting I did a test of "grep -r website-i-visited ~/.mozilla/*"

I found that there are always URLs of the visited urls in places.sql

This is a serious privacy problem. Please fix.

Reproducible: Always

Steps to Reproduce:
1. see details
2.
3.
Actual Results:  
see details

Expected Results:  
...

Comment 1

[Sylvain Pasche]

Do you have a bookmark of the website-i-visited? Bookmarks are not deleted when you use "clear private data", so that may explain this.

This is a bit technical, but another thing you can do to diagnose the issue is to look at the places database to see where website-i-visited is appearing. Just install the sqlite3 command line tool, and then type

$ sqlite3 /path/to/places.sqlite .dump

And then grep the results to see on what table website-i-visited is stored

Comment 2

[Andi Kleen]

No bookmark.

Cannot do the sqlite check right now, but will do later.

Comment 3

[Shawn Wilsher :sdwilsh]

We use SQLITE_SECURE_DELETE, so this is either an upstream bug or doesn't exist.  Regardless, haven't heard from the reporter, so INCOMPLETE.