Closed Bug 951685 Opened 11 years ago Closed 9 years ago

warn if HTTP 302 redirects outside the current site - mitigate quantum attack

Categories

(Firefox :: Untriaged, defect)

25 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: hauser, Unassigned, NeedInfo)

References

(Depends on 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131112160018 Steps to reproduce: http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/ accessibility.blockautorefresh apparently does it for any redirect. But as long as it is the intended site reloading itself, this is not important from a security perspective. Actual results: redirecting to a fake google.com lets a man-in-the-middle read an identifying cookie of a (via TOR?) surfing user. Expected results: Ghostery and NoScript AddIn may partially solve the problem, but this may well be important enough to make it part of the firefox base offering? This should be complemented by the possibility to restrict my cookies to only being released into https connections as per bug 543755
> accessibility.blockautorefresh If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.
Depends on: 803590
See Also: → 1150311
(In reply to O. Atsushi (Torisugari) from comment #1) > If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0. If I do that, I get “The page isn't redirecting properly” and no information bar to allow the redirection. Example: http://mzl.la/1BAQNzf
Hi Ralf, Are you still encountering this issue? If so, can you retry testing it in a current version of Firefox to see if it's fixed? Thanks.
Flags: needinfo?(hauser)
Closing due to lack of response from the reporter. If you feel this is a pertinent issue, please provide the requested information and reopen. Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.