"View Page Source" should not rerequest the page unless the user explicitly asks to

RESOLVED DUPLICATE of bug 307089

Status

()

Firefox
Untriaged
--
major
RESOLVED DUPLICATE of bug 307089
6 years ago
6 years ago

People

(Reporter: fawer, Unassigned)

Tracking

12 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
When you click "view source" you expect to get the source of the page you're looking at, not some entirely different webpage. A huge number of webpages are sensitive to request timing, including any page with logins, and "view source" is useless in each of those cases.

Of course, there is a hackjob solution if one wants to view the current source - to use "inspect element". But that is an entirely different issue; the problem here is that "view source" does not do what the user wants it to do, and in any case, "inspect element" is nowhere near a perfect substitute for "view source".

This quirk in Firefox's behavior has already been well-exploited in the wild by malware, such as the Blackhole kit. When Firefox first loads a compromised webpage, the user's system gets owned through a Java exploit. Blackhole bans all subsequent requests, so "View source" shows a blank page. Any user unaware that "view source" sends a second request (almost everyone) will be misled into thinking that nothing has happened, even though his system has just been compromised.
(Reporter)

Comment 1

6 years ago
Didn't search carefully enough.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 307089
You need to log in before you can comment on or make changes to this bug.