On Mon, Nov 17, 2014 at 15:06:21 +0100,
Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
Am 17.11.2014 um 14:41 schrieb Bruno Wolff III:
Firefox is really not set up with privacy as a high priority. Some bad
things it does from a privacy perspective are:
If you type a name in the url bar and send, if the name dosn't match a
domain google is contacted. (And it is google even if you have some
other search engine set.)
OSCP is used to check for certificate revocations. For some threat
models this cure is worse than the disease. There should be an easy way
to disable this.
not such problem if more sites would be configured properly
http://en.wikipedia.org/wiki/OCSP_stapling
That does sound like an improvement, but I haven't run across an easy way
to enable that while disabling normal OCSP.
Javascript is not easy to disable without installing a third party
plugin, and the way that plugin works still leaves some exposure to
javascript related issues.
and everytime a newspaper recommends to disable it weeks later we got
complaints that some forms don't work because tech to make it harder
submit them automated until analyze what JS actions are expected
javascript is way too powerful to leave on for any old web site. Most
web sites way over use it. Yes it is needed for web sites that are
really applications, but most websites could be set up so they are
usable without it. They just don't bother.
The referer header is sent by default. It isn't obvious how to disable
that
please don't propose disable the Referer globally
a samrt default would be
https://addons.mozilla.org/DE/firefox/addon/smart-referer/ to send it
only to the same domain
Having to install a third party package to do this doesn't make it simple.
This feature should be built in.
Some people may not want to supply referer headers when moving around
within sites. For that there should be a per domain override similar
to cookies.
everytime when people come out with "how to disable referrer,
javascript and the useragent" they have no clue what harm they are
doing for sane websites wich try to protect themself and their owners
from automated attacks / junk
Web sites should work just fine without a supplied user agent. If they
don't, they are broken. bots can forge common user agent strings easily,
relying on checking for user agent for security purposes is silly.
A number of sites think there are only 3 or 4 different browers and refuse
to work if you aren't using one of them. Other web sites aren't designed
to handle the optional user agent header not being supplied and will
break needlessly.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
