Last Comment Bug 838646 - Generation of HTTPS thumbs
: Generation of HTTPS thumbs
Status: RESOLVED DUPLICATE of bug 755996
:
Product: Firefox
Classification: Client Software
Component: Tabbed Browser (show other bugs)
: 18 Branch
: x86_64 Windows 7
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-06 08:31 PST by theshiftexchange
Modified: 2014-07-16 11:31 PDT (History)
1 user (show)
dveditz: sec‑bounty-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
6ca8746c1b91b784ed63658648a9bfaf.png (27.29 KB, image/png)
2013-02-06 08:31 PST, theshiftexchange
no flags Details

Description theshiftexchange 2013-02-06 08:31:33 PST
Created attachment 710745 [details]
6ca8746c1b91b784ed63658648a9bfaf.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344

Steps to reproduce:

I've found that "newtab" thumbnails are generating screenshots of HTTPS websites, despite all the documentation stating that should not occur.

I am using the latest Firefox 18.0.2 version on Windows 7.


Actual results:

If you visit a secure HTTPS page, it is taking constant pictures of HTTPS data. Whilst the data is then NOT used in the newtabs screen - it is stored on my harddrive! This data is stored in the user firefox/profiles/xxxx.default/thumbnails folder.

I found that I could view a Google 2-Factor barcode - and the quality was high enough that my iPhone 5 would recognise the barcode from the 'screenshot' cached image!

I have attached a copy of this screenshot.

p.s. the 2-factor image + account is a 'throwaway' account - so there is no risk with you using this image to test on your iPhone or Android.


Expected results:

Obviously it should not take screenshots of HTTPS pages. Whilst the image is never used on the 'newtabs' page - the storage on the hard drive is dangerours and not needed.
Comment 1 Daniel Veditz [:dveditz] 2013-02-06 10:43:13 PST

*** This bug has been marked as a duplicate of bug 755996 ***
Comment 2 Daniel Veditz [:dveditz] 2013-02-06 10:47:48 PST
The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https. Https pages can indeed be cached depending on whether or not they're marked "no-store". bug 755996 (and you, in this bug) says that's not good enough which may be true, but is already covered in bug 755996.
Comment 3 theshiftexchange 2013-02-07 06:07:48 PST
"The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https."

Well the "documentation" is VERY poorly worded then: http://support.mozilla.org/en-US/kb/thumbnails-on-new-tab-page-are-missing


"Why are the thumbnails not displayed?
Firefox stores the website thumbnails it displays on the New Tab page in temporary files on your computer. Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail. This ensures that no sensitive information is displayed when you are logged out. Also, clearing your browsing history (manually or automatically when Firefox closes) will delete thumbnails."

specifically this sentance; "Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail" - yet they DO have a thumbnail - you just dont SHOW the thumbnail - it is two VERY different things.

I'm aware that the site might still be cached - but simply showing a 'grey' screen and pretending the data is not there is NOT the same as the data not being there!

Note You need to log in before you can comment on or make changes to this bug.