Closed Bug 951685 Opened 11 years ago Closed 9 years ago

warn if HTTP 302 redirects outside the current site - mitigate quantum attack


(Firefox :: Untriaged, defect)

25 Branch
Windows 7
Not set





(Reporter: hauser, Unassigned, NeedInfo)


(Depends on 1 open bug)


User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

accessibility.blockautorefresh apparently does it for any redirect. But as long as it is the intended site reloading itself, this is not important from a security perspective.

Actual results:

redirecting to a fake lets a man-in-the-middle read an identifying cookie of a (via TOR?) surfing user.

Expected results:

Ghostery and NoScript AddIn may partially solve the problem, but this may well be important enough to make it part of the firefox base offering?

This should be complemented by the possibility to restrict my cookies to only being released into https connections as per bug 543755
> accessibility.blockautorefresh

If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.
Depends on: 803590
See Also: → 1150311
(In reply to O. Atsushi (Torisugari) from comment #1)
> If you are talking about HTTP redirection, you can set "network.http.redirection-limit" 0.

If I do that, I get “The page isn't redirecting properly” and no information bar to allow the redirection. Example:
Hi Ralf,

Are you still encountering this issue? If so, can you retry testing it in a current version of Firefox to see if it's fixed? Thanks.
Flags: needinfo?(hauser)
Closing due to lack of response from the reporter. If you feel this is a pertinent issue, please provide the requested information and reopen. Thanks!
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.