Unexpected search submission of private data when middle-clicking a link

RESOLVED INVALID

Status

()

Firefox
Shell Integration
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: yetanothergeek@gmail.com, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.5pre) Gecko/20100602 Namoroka/3.6.5pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.5pre) Gecko/20100602 Namoroka/3.6.5pre

Usually, when I middle-click on a link, Firefox opens the link in a new tab.

However, with certain javascript links, instead of opening the link in a new tab, Firefox sends whatever personal data I might have on my clipboard (X-selection) directly to Google's ever-increasing database of information about me. And since the data is sent as plain-text by default, it could also easily be sniffed by some third party. This can also happen when a user accidentally has the mouse slightly off target even when trying to click a plain HTML link. 

I believe most users have an expectation that clipboard data is private, and that a trusted application would not unexpectedly expose it to the world just because of a misplaced mouse click.



Reproducible: Always

Steps to Reproduce:
1. Select some text in Firefox or any another application.
2. Middle-click somewhere on a web page, other than a link or textarea.
3. Middle clicking certain javascript-generated links can also produce the same behavior.
Actual Results:  
If the text happens to be a valid URL, the browser will load that page. Otherwise the text contained in the X-selection is submitted to the configured search engine, possibly as plain text.

Expected Results:  
I would expect nothing at all to happen, since the click was not on a "hyper" page element. (The same thing that would happen if you left-clicked on the same spot.) For the case of the javascript links, I would expect the link to open in a new tab, or not at all.
This is an intentional feature (enabled on Linux only) that is controlled by the hidden "middlemouse.contentLoadURL" pref. You can disable it by setting that pref to false using about:config.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

8 years ago
Thanks, Gavin - 

The "middlemouse.contentLoadURL" does exactly what I wanted.

Although I still think this "feature" should be disabled by default,
particularly since there is no clear way to predict what will happen
if the user middle-clicks on a link, it depends on how the link is 
implemented.

I also think the name of the setting is a bit of a misnomer - 
maybe it should be "middlemouse.sendClipboardToSearchEngine"
(In reply to comment #2)
> Although I still think this "feature" should be disabled by default,
> particularly since there is no clear way to predict what will happen
> if the user middle-clicks on a link, it depends on how the link is 
> implemented.

This sounds like a bug that should be filed separately.

> I also think the name of the setting is a bit of a misnomer - 
> maybe it should be "middlemouse.sendClipboardToSearchEngine"

Well, we only send it to the search engine if it isn't a valid URL...
(Reporter)

Comment 4

8 years ago
(In reply to comment #3)

> This sounds like a bug that should be filed separately.

I believe this bug report already addresses those concerns.



> Well, we only send it to the search engine if it isn't a valid URL...

Which is probably true of most people's clipboard 99% of the time.

Even if the selection does contain a valid URL, it's still up to the
user to try and guess what will happen when middle-clicking on a link.
You need to log in before you can comment on or make changes to this bug.