Avatar for Username

Cerca nel supporto

Attenzione alle mail truffa. Mozilla non chiederà mai di chiamare o mandare messaggi a un numero di telefono o di inviare dati personali. Segnalare qualsiasi attività sospetta utilizzando l'opzione “Segnala abuso”.

Ulteriori informazioni

Questa discussione è archiviata. Inserire una nuova richiesta se occorre aiuto.

[Security Issue] Redirect block is useless without redirect info.

  • 2 risposte
  • 2 hanno questo problema
  • 4 visualizzazioni
  • Ultima risposta di cor-el

mietekszczesniak
mietekszczesniak
more options

I turned on "Warn me when websites try to redirect or reload a page."

However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me?

At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.)

And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.)

With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla.

Please fix in the next point release.

A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

I turned on "Warn me when websites try to redirect or reload a page." However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me? At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.) And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.) With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla. Please fix in the next point release. A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

Modificato da mietekszczesniak il

Tutte le risposte (2)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 25 Contributor
more options

Please note that this feature actually is very limited in purpose: it is meant to avoid confusing accessibility add-ons or users with accessibility challenges, and not to prevent all possible kinds of redirection. Hence its placement under Accessibility options rather than Security options.

To morph the functionality in a new direction, I suggest filing a bug report at: https://bugzilla.mozilla.org/. Such a change could take several versions to make it into the regular release of Firefox. In the meantime, perhaps you can find an extension that offers this protection?

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See also:

  • Bug 685496 - (redirect-warn) Tracking bug for enhancements and bugs with "Warn Me when web sites try to redirect or reload the page" feature and the corresponding "Firefox prevented this page from automatically redirecting to another page" information bar