Created attachment 710745 [details]
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344
Steps to reproduce:
I've found that "newtab" thumbnails are generating screenshots of HTTPS websites, despite all the documentation stating that should not occur.
I am using the latest Firefox 18.0.2 version on Windows 7.
If you visit a secure HTTPS page, it is taking constant pictures of HTTPS data. Whilst the data is then NOT used in the newtabs screen - it is stored on my harddrive! This data is stored in the user firefox/profiles/xxxx.default/thumbnails folder.
I found that I could view a Google 2-Factor barcode - and the quality was high enough that my iPhone 5 would recognise the barcode from the 'screenshot' cached image!
I have attached a copy of this screenshot.
p.s. the 2-factor image + account is a 'throwaway' account - so there is no risk with you using this image to test on your iPhone or Android.
Obviously it should not take screenshots of HTTPS pages. Whilst the image is never used on the 'newtabs' page - the storage on the hard drive is dangerours and not needed.
*** This bug has been marked as a duplicate of bug 755996 ***
The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https. Https pages can indeed be cached depending on whether or not they're marked "no-store". bug 755996 (and you, in this bug) says that's not good enough which may be true, but is already covered in bug 755996.
"The "documentation"(?) was maybe an announcement about the changes in bug 754608, which made the thumbnails follow the caching rules for https."
Well the "documentation" is VERY poorly worded then: http://support.mozilla.org/en-US/kb/thumbnails-on-new-tab-page-are-missing
"Why are the thumbnails not displayed?
Firefox stores the website thumbnails it displays on the New Tab page in temporary files on your computer. Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail. This ensures that no sensitive information is displayed when you are logged out. Also, clearing your browsing history (manually or automatically when Firefox closes) will delete thumbnails."
specifically this sentance; "Some websites (such as HTTPS sites) don't allow files to be cached so they don't have a thumbnail" - yet they DO have a thumbnail - you just dont SHOW the thumbnail - it is two VERY different things.
I'm aware that the site might still be cached - but simply showing a 'grey' screen and pretending the data is not there is NOT the same as the data not being there!