Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

[Security Issue] Redirect block is useless without redirect info.

  • 2 个回答
  • 2 人有此问题
  • 4 次查看
  • 最后回复者为 cor-el

mietekszczesniak
mietekszczesniak
more options

I turned on "Warn me when websites try to redirect or reload a page."

However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me?

At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.)

And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.)

With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla.

Please fix in the next point release.

A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

I turned on "Warn me when websites try to redirect or reload a page." However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me? At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.) And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.) With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla. Please fix in the next point release. A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

由mietekszczesniak于修改

所有回复 (2)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Please note that this feature actually is very limited in purpose: it is meant to avoid confusing accessibility add-ons or users with accessibility challenges, and not to prevent all possible kinds of redirection. Hence its placement under Accessibility options rather than Security options.

To morph the functionality in a new direction, I suggest filing a bug report at: https://bugzilla.mozilla.org/. Such a change could take several versions to make it into the regular release of Firefox. In the meantime, perhaps you can find an extension that offers this protection?

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See also:

  • Bug 685496 - (redirect-warn) Tracking bug for enhancements and bugs with "Warn Me when web sites try to redirect or reload the page" feature and the corresponding "Firefox prevented this page from automatically redirecting to another page" information bar