Opened 9 years ago

Closed 9 years ago

#1673 closed defect (fixed)

Firefox HTTP Prefetch feature leaks unencrypted site accesses, ignoring rewrite rules

Reported by: schoen Owned by: mikeperry
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox supports a feature called HTTP Prefetch, where an HTML page can "hint" that a user is likely to access a particular page in the near future. Firefox can (and by default does) load the relevant URL even before the user clicks on this.

Google search results (in some circumstances) contain HTML code that requests a prefetch of the top search result. (Google is not necessarily the only site that triggers this problem!) Firefox will, by default, then load this page, ignoring any potentially applicable HTTPS Everywhere rewrite rules. For instance, if the top search result is a Wikipedia page, Firefox will load that page in plaintext in the background, even though HTTPS Everywhere has a rule that should force the Wikipedia page access to be rewritten. (Actually clicking on the link results in HTTPS Everywhere rewriting it, but the browser has already loaded the unencrypted version!)

See
https://mail1.eff.org/pipermail/https-everywhere/2010-July/000025.html
for more discussion of this problem.

See also
https://developer.mozilla.org/en/link_prefetching_faq
for discussion of HTTP Prefetch. (You can turn it off entirely, but I don't know whether that's the right solution.)

Child Tickets

Change History (2)

comment:1 Changed 9 years ago by pde

Owner: changed from pde to mikeperry
Status: newassigned

comment:2 Changed 9 years ago by pde

Resolution: fixed
Status: assignedclosed

Fixed in the recent development branch

Note: See TracTickets for help on using tickets.