724179 - Gecko sends cookies and HTTP auth credentials in mixed-content requests

Status: NEW

(Core :: DOM: Security, defect, P3)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

In the mixed-content case where an HTTPS page has embedded non-HTTPS sub-resources, we should stop sending cookies in the requests for the non-HTTPS content when we choose to load it at all. The cookies likely leak information about the user's identity--often directly exposing the user's email address.

Most of our motivation for continuing to support mixed-content images comes from the desire to allow hotlinking to non-HTTPS images in email programs (like GMail) and online forums. I bet it is extremely rare that the user ever benefits from sending cookies in those requests. Especially in the case of email, they are almost definitely tracking cookies designed to verify whether the email was read by the user.

I think this is likely to be the most acceptable middle ground in the short term, for limiting the negative security impact of loading images and videos in mixed content scenerios by default.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Sorry. "...that haven't been approved by CORS" is part of the summary for a related bug.

Comment 2

[Jesse Ruderman]

What problem are you trying to solve here?  It seems to me this change would just push trackers to move to HTTPS, or put the recipient's email address in the image URL.

Comment 3

[[Baboo]]

(In reply to Jesse Ruderman from comment #2)
> What problem are you trying to solve here?

I believe it's about limiting the leakage of potentially sensitive information to people snooping the connection (MITM).

Comment 4

[Ethan Tseng [:ethan]]

Hi Brian, why this bug was tagged as [fingerprinting]?