spoof history.length - browser.sessionhistory.max_entries
ip-check.info demonstrated, history.length can be read.
They recommend:
The number of visited pages should be reset to 2 whenever you change to a new domain.
Open about:config and set browser.sessionhistory.max_entries to 2.
What about doing this with TorButton?
Activity
Setting "browser.sessionhistory.max_entries" to "2" is not worth the usability issues, I think (wearing a user hat). There should be a smarter approach.
Trac:
Cc: N/A to g.koppen@jondos.de
FWIW,
browser.sessionhistory.max_entrieshas been broken since FF61, and I will probably never get fixed - see https://bugzilla.mozilla.org/show_bug.cgi?id=1511813As for cross-origin linkability / privacy concerns: there shouldn't be any: see
- https://developer.mozilla.org/en-US/docs/Web/API/History
- https://html.spec.whatwg.org/multipage/history.html
I think we can close this.
Edit: Note: there may be other underlying issues with History API (which the pref has nothing to do with) such as
history.pushState, where an attcker can find it useful to hide reflected XSS in the URL by dynamically changing the path to something less suspicious - e.g. http://samuli.hakoniemi.net/tag/history-pushstate/ - but that's out of scope for this ticketTrac:
Reviewer: N/A to N/A
Sponsor: N/A to N/A-
We could think about keeping this ticket for further History API investigations and there is no need for pages knowing my session history length, really.
Trac:
Cc: g.koppen@jondos.de to N/A -
#32983 (moved) is a duplicate.
Trac:
Cc: N/A to pf.team mentioned in issue #32983 (moved)
