Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

[Security Issue] Redirect block is useless without redirect info.

  • 2 replies
  • 2 have this problem
  • 4 views
  • Last reply by cor-el

mietekszczesniak
mietekszczesniak
more options

I turned on "Warn me when websites try to redirect or reload a page."

However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me?

At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.)

And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.)

With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla.

Please fix in the next point release.

A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

I turned on "Warn me when websites try to redirect or reload a page." However, when I get the warning (plus an Allow button) I'm not told where the redirect leads. How am I supposed to decide whether I want to take that redirect or if it's safe if I have no idea where it's taking me? At the very least, Firefox should display the redirect URL. It's also a good idea to tell the user whether it's a javascript redirect, a html meta tag redirect, or a 30x HTTP code - and if the latter, which one exactly. (Telling this could be an option for the more technically sophisticated users.) And I sincerely hope that the redirect warning feature stops all of the above. Otherwise what's the point if it can be circumvented. (Please elaborate in response.) With the NSA using redirects against even technically savvy targets (the infamous Slashdot/LinkedIn MitM/MotS against EU telecoms tech staff), having a tight control on redirects should be a security priority for Mozilla. Please fix in the next point release. A swift and successful resolution will result in a modest donation to Mozilla. Thank you.

Modified by mietekszczesniak

All Replies (2)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Please note that this feature actually is very limited in purpose: it is meant to avoid confusing accessibility add-ons or users with accessibility challenges, and not to prevent all possible kinds of redirection. Hence its placement under Accessibility options rather than Security options.

To morph the functionality in a new direction, I suggest filing a bug report at: https://bugzilla.mozilla.org/. Such a change could take several versions to make it into the regular release of Firefox. In the meantime, perhaps you can find an extension that offers this protection?

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See also:

  • Bug 685496 - (redirect-warn) Tracking bug for enhancements and bugs with "Warn Me when web sites try to redirect or reload the page" feature and the corresponding "Firefox prevented this page from automatically redirecting to another page" information bar