Opened 5 years ago

Closed 8 months ago

#10089 closed enhancement (fixed)

middlemouse.contentLoadURL is set to true by default

Reported by: WDXfjqDN4QKGYrlY Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201709R
Cc: blubber Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Please consider setting TBB's default 'middlemouse.contentLoadURL' (in about:config) from 'true' to 'false'.

When copying and pasting personal URLs that could contain personally identifiable information or link to said information the default behavior of a privacy minded browser should focus toward privacy and security over the ease and convenience of a loading URLS with a single button click. This default behavior often occurs by mistake when missing a middle mouse click on a link (to open in a new tab).

Reference links:
https://bugzilla.mozilla.org/show_bug.cgi?id=366945
https://bugzilla.mozilla.org/show_bug.cgi?id=667340

Child Tickets

Change History (17)

comment:1 Changed 5 years ago by arma

I use this feature. I imagine a lot of people do.

Is the recent change of "ignore the thing you paste unless it's a URL" not good enough? (It seemed good enough for most of the people on the tickets you reference.)

comment:2 Changed 4 years ago by beadcafe

It has happened to me that I have by mistake pasted in a Tor session a URL that identified me, so the "ignore the thing you paste unless it's a URL" hasn't been a good enough safeguard for me.

comment:3 Changed 4 years ago by breadyt

The problem that I've seen is that even highlighting any URL (without copying it) will cause the browser to go to the page when middle clicking. This even happens if you highlight a URL in non-Tor firefox then middle click in TBB. Just selecting text should not cause a potential security breach.

An easy fix would be to enable autoscrolling by default, since this changes middle click behavior. At least if the user wants to change back, it is easy to do so in the preferences menu without going to the config page.

comment:4 Changed 4 years ago by gk

Milestone: Tor: unspecified
Version: Tor: 0.2.4.17-rc

comment:5 Changed 4 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:6 Changed 4 years ago by arma

We closed #10490 and #7639 as duplicates of this one.

comment:7 Changed 2 years ago by martingale

Severity: Normal

I found this ticket after accidentally middle-click navigating to a URL that would uniquely identify me. Please set middlemouse.contentLoadURL = false by default, at the very least in the hardened bundle.

comment:8 Changed 2 years ago by gk

Cc: blubber added

#11209 is a duplicate.

comment:9 Changed 11 months ago by discram

This just happened to me and was completely unintended and unexpected (and confusing as I hadn't intentionally copied the URL to begin with, although I had visited it earlier in another browser). This setting is actually turned off by default in Firefox Linux, but not Tor Linux.

I obviously have no data to back this up, but I'd imagine that the majority of users who do this do it unintentionally (although perhaps intentional users do it frequently).

Given the potential to reveal your identity and the ease of switching it back on, I see this as an easy change to default off.

In case it isn't clear from the rest of the ticket, middleclicking ANYWHERE on a page except on a link will immediately navigate to the URL in the clipboard.

comment:10 in reply to:  9 Changed 11 months ago by boklm

Replying to discram:

This just happened to me and was completely unintended and unexpected (and confusing as I hadn't intentionally copied the URL to begin with, although I had visited it earlier in another browser). This setting is actually turned off by default in Firefox Linux, but not Tor Linux.

This setting is actually turned on by default in Firefox (and we don't change it in Tor Browser).

comment:11 Changed 9 months ago by cypherpunks

Keywords: tbb-linkability added
Priority: Very LowLow

comment:12 Changed 9 months ago by gk

Keywords: ff59-esr-will-have tbb-backport added

comment:13 Changed 9 months ago by cypherpunks

Keywords: tbb-pref added; middlemouse privacy tbb-firefox-patch tbb-linkability removed

comment:14 Changed 8 months ago by gk

Keywords: TorBrowserTeam201709R added

From #22814:

Mozilla finally decided to fix this 11 year old bug report and set middlemouse.contentLoadURL to false in Firefox 57: https://bugzilla.mozilla.org/show_bug.cgi?id=366945

I think it would be nice if someone from the TB team backports this easy patch,

diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -4256,7 +4256,6 @@ pref("browser.drag_out_of_frame_style", 
 
 // Middle-mouse handling
 pref("middlemouse.paste", true);
-pref("middlemouse.contentLoadURL", true);
 pref("middlemouse.openNewWindow", true);
 pref("middlemouse.scrollbarPosition", true);
 
@@ -4319,7 +4318,6 @@ pref("browser.drag_out_of_frame_style", 
 
 // Middle-mouse handling
 pref("middlemouse.paste", true);
-pref("middlemouse.contentLoadURL", true);
 pref("middlemouse.openNewWindow", true);
 pref("middlemouse.scrollbarPosition", true);

It handles Android as well

comment:15 Changed 8 months ago by cypherpunks

Keywords: ff59-esr-will-have removed

This has been fixed for FF57 so removing ff59-esr-will-have keyword.

comment:16 Changed 8 months ago by gk

Keywords: ff59-esr-will-have added

Let's keep it until we are sure we ship that patch in the ESR52 timeframe.

comment:17 Changed 8 months ago by gk

Keywords: ff59-esr-will-have tbb-backport tbb-pref removed
Resolution: fixed
Status: newclosed

Okay, I cherry-picked that one from gecko-dev (commit 993944794e48e93074842e127ec1b9b6c34c1ef8 on tor-browser-52.3.0esr-7.5-2).

Note: See TracTickets for help on using tickets.