Closed
Bug 673175
Opened 13 years ago
Closed 11 years ago
information leak - email address of last user to comment awaiting moderation was being shown
Categories
(Developer Engagement :: Mozilla Hacks, task, P1)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 652560
People
(Reporter: sdaugherty, Unassigned)
References
()
Details
(Keywords: privacy, Whiteboard: [site:hacks.mozilla.org][specification-like][type:bug])
Attachments
(1 file)
65.97 KB,
image/png
|
Details |
I commented earlier on this story, and it was being held for moderation. I refreshed the page later to see if my comment had been posted, and was able to see the email address of the last user to leave a comment on the page (see attached screenshot)
Comment 1•13 years ago
|
||
Fastest fix for this is to send no-cache headers for any pages that have that box on them.
Comment 2•13 years ago
|
||
Would "Vary: Cookie" do the trick?
Comment 3•13 years ago
|
||
I doubt it unless the blog is starting sessions for everyone.
Updated•11 years ago
|
Whiteboard: [site:hacks.mozilla.org]
Assignee | ||
Updated•11 years ago
|
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
Comment 4•11 years ago
|
||
I cannot reproduce. I can see my own contact information in the form when I visit the page a second time, but not the contact information of another user. The strange thing here is that Stephanie is even /seeing/ a comment that is in moderation. Normal users cannot do this. Maybe she was logged in? But after testing with jswisher, it appears that even logged-in users cannot see the contact information of other commenters today. Marking as WORKSFORME. Please reopen if I am mistaken.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Comment 5•11 years ago
|
||
Tagging this correctly, just in case it is reopened.
Priority: -- → P1
Whiteboard: [site:hacks.mozilla.org] → [site:hacks.mozilla.org][specification-like][type:bug]
Updated•11 years ago
|
Resolution: WORKSFORME → DUPLICATE
Comment 7•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•7 years ago
|
Product: Mozilla Developer Network → Developer Engagement
You need to log in
before you can comment on or make changes to this bug.
Description
•