[Security Issue] Redirect block is useless without redirect info.
I turned on "Warn me when websites try to redirect or reload a page."
However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me?
At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.)
And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.)
With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla.
Please fix in the next point release.
A swift and successful resolution will result in a modest donation to Mozilla. Thank you.
mietekszczesniak trɔe
All Replies (2)
Please note that this feature actually is very limited in purpose: it is meant to avoid confusing accessibility add-ons or users with accessibility challenges, and not to prevent all possible kinds of redirection. Hence its placement under Accessibility options rather than Security options.
To morph the functionality in a new direction, I suggest filing a bug report at: https://bugzilla.mozilla.org/. Such a change could take several versions to make it into the regular release of Firefox. In the meantime, perhaps you can find an extension that offers this protection?
See also:
- Bug 685496 - (redirect-warn) Tracking bug for enhancements and bugs with "Warn Me when web sites try to redirect or reload the page" feature and the corresponding "Firefox prevented this page from automatically redirecting to another page" information bar