[Pkg-mozext-maintainers] Bug#771286: privacy breach: loads FAQ from the network after first installation
Damyan Ivanov
dmn at debian.org
Fri Nov 28 09:07:59 UTC 2014
Package: xul-ext-https-everywhere
Version: 4.0.2-1
Severity: important
Tags: patch upstream
The first time the browser is started after installing
xul-ext-https-everywhere, a notification bar is shown, informing of
the fact that some https enforcement is active and pointing to the
toolbar button for options.
What is bad about that is that when the notification is dismissed, the
browser is forced to open https://www.eff.org/https-everywhere/faq
This is a privacy breach, as it informs the authors (and user's ISP)
that there is a new installation of https-everywhere.
The attached patch adds a dedicated button to the notification bar.
Pressing that button loads the FAQ page as before, and just dismissing
the notification bar does nothing. In other words, it makes the user
*request* the FAQ before loading it.
-- dam
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xul-ext-https-everywhere depends on:
ii icedove 31.2.0-1
ii iceweasel 33.1-1
xul-ext-https-everywhere recommends no packages.
xul-ext-https-everywhere suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-unconditional-FAQ-load.patch
Type: text/x-diff
Size: 1776 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20141128/4dc81132/attachment-0001.patch>
More information about the Pkg-mozext-maintainers
mailing list