noscript information leak while private browsing

[lou]

Hi,

while private browsing is enabled, noscript dumps data to ~/.xsession-errors on Linux, so e.g. the visited site is leaking:

[NoScript] [NoScript] Blocking refresh on unfocused tab, http://example.org/to/protect/the/innocent

So, every site with some self refresh can easily get logged. Maybe other data is leaked to.

greetings

[Giorgio Maone]

Do you mean that any message logged using Firefox's dump() facility gets stuffed in a file on Linux automatically and for every user?
This seems pretty stupid to me.

Maybe other data is leaked to.

Nope, it's pretty much the only instance of URLs dumped in default configuration.
However, if you're doing debugging and turn the noscript.consoleDump preference to something different than 0, then probably you're gonna get tons of interesting stuff there, but I hope you know what you're doing.
Anyway, I'm gonna just disable any dump() logging when in private browsing mode.

[Guest]

Do you mean that any message logged using Firefox's dump() facility gets stuffed in a file on Linux automatically and for every user?

Don't know because I didn't look at the code. But if you would run firefox (or any other program) from a console, all console output get's dumped to the console (I think because of this, it's called console output *jokingly*). No console -> console output get's dumped to the users .xsession-errors file.

This seems pretty stupid to me.

Just guessing, but maybe Mozilla's use of dump() is to have output although there is private browsing and regardless of whatever other mode is running and so it's not the intended way to dump data? How do they manage this? Do they disable dump() while private browsing or do they use another facility?

However, if you're doing debugging and turn the noscript.consoleDump preference to something different than 0, then probably you're gonna get tons of interesting stuff there, but I hope you know what you're doing.

Didn't touch consoledump so it is set to 0.