| 15320 |
Forms/Necko: Temp file (formpost) left after file upload |
P1 |
VERIFIED |
| 16499 |
Work around sendmail bug which reveals bcc recipients when all recipients are bcc |
P3 |
VERIFIED |
| 17661 |
Preference for "Ask before sending e-mail address as FTP password" |
P4 |
RESOLVED |
| 24418 |
[meta] Allow user to turn on and off rendering of video/audio (disable sound) |
-- |
NEW |
| 28327 |
No server hits at HTML mailnews reading - privacy (disable remote content/web-bugs) |
P3 |
RESOLVED |
| 32018 |
wrong UI for SSL SMTP in account manager |
P3 |
VERIFIED |
| 37454 |
Delete & add acct back within same session shows old folders |
-- |
RESOLVED |
| 44845 |
[meta] No network communication without explicit user request |
P3 |
RESOLVED |
| 50205 |
Find privacy links |
P3 |
RESOLVED |
| 53239 |
What's Related surfing when it is collapsed - privacy issue |
P1 |
VERIFIED |
| 55366 |
Don't reveal UI language to site/page -- Change navigator.language to use Accept-Language instead of the UI language |
P4 |
RESOLVED |
| 55477 |
UI-Pref to send HTTP "Referer" (referrer) always/never/only at same server |
-- |
RESOLVED |
| 57351 |
css on a:visited can load an image and/or reveal if visitor been to a site |
P3 |
VERIFIED |
| 57555 |
UA-string is telling sites too much about the system |
P3 |
RESOLVED |
| 57675 |
More descriptive error message for non-http:// urls in What's Related |
-- |
VERIFIED |
| 58580 |
Temp files from sending drafts or posting news are (created with bad permissions and) left behind |
P3 |
RESOLVED |
| 58930 |
POST with enctype=multipart/form-data leaves a temp file |
P1 |
VERIFIED |
| 58979 |
store all compose temp files in directory under /tmp, and remove that directory on quit |
-- |
NEW |
| 59557 |
Permissions should not be world-readable for profile directory |
-- |
RESOLVED |
| 62178 |
implement mechanism to prevent sending insecure requests from a secure context |
P1 |
RESOLVED |
| 64267 |
clicking on email address/mailto link in message body doesn't set the correct From (identity) - use account/identity of current message, not the default account/identity |
-- |
RESOLVED |
| 64800 |
Deletion of news accounts don't delete newsrc files |
-- |
NEW |
| 67447 |
iframes allow the setting of third party cookies |
-- |
VERIFIED |
| 67702 |
Forwarding mail should remove JavaScript from the message |
-- |
NEW |
| 68682 |
Saving inline attachments saves whole msg |
-- |
VERIFIED |
| 68686 |
Shrink .jar files by stripping out whitespace, comments |
-- |
RESOLVED |
| 70676 |
Kerberos POP support |
-- |
RESOLVED |
| 74075 |
Mozilla displays pages which required authentication (after reload) from cache |
-- |
RESOLVED |
| 76463 |
formpost files should use 600, not 666, for permissions |
P1 |
VERIFIED |
| 84749 |
BODY onUnload JavaScript gets wrong value for location.href |
-- |
VERIFIED |
| 88183 |
navigator.plugins leaks path names |
-- |
VERIFIED |
| 88771 |
URL bar menu (autocomplete) should hide URL passwords |
-- |
RESOLVED |
| 92716 |
Need way to completely disable user-agent header |
P4 |
RESOLVED |
| 94118 |
blocked images are downloaded anyway |
P2 |
RESOLVED |
| 96351 |
accept cookies only from originating site easily circumvented |
-- |
RESOLVED |
| 101723 |
lock icon only works for the first tab |
-- |
VERIFIED |
| 102015 |
Recent Pages list cannot be cleared from prefs dialog |
-- |
NEW |
| 107088 |
mozilla creates world-readable temp files |
-- |
VERIFIED |
| 116938 |
tries to save .exe file rather than play it |
P1 |
VERIFIED |
| 118338 |
addressbook file contains infomation about deleted people if duplicate people are created |
-- |
RESOLVED |
| 118411 |
Can't send message with an attachment whose filename contain a '/' |
P2 |
RESOLVED |
| 118766 |
Messages printed from print preview contain full path URL to mailbox in header (privacy/security concern, ux-error-prevention) |
-- |
RESOLVED |
| 119828 |
Credit Card information plainly visible w/o supplying a password |
-- |
VERIFIED |
| 121361 |
Navigator: Untrustable security information due to incomplete navigator tab support |
P4 |
VERIFIED |
| 125738 |
Forwarding should strip X-Mozilla-Status2 (label) |
-- |
VERIFIED |
| 126720 |
Full-screen: Ability to show status bar (security icon ?) |
-- |
RESOLVED |
| 127032 |
Full-Screen mode should have some indication of entering secured site |
-- |
RESOLVED |
| 127444 |
Full screen mode on Linux hides titlebar |
-- |
RESOLVED |
| 127872 |
"Internet Keywords-only" mode for "Location" |
-- |
RESOLVED |
| 128693 |
file is attached if you change hyperlink |
-- |
VERIFIED |
| 130149 |
Composer reveals login and password on publish in html-source |
-- |
VERIFIED |
| 130222 |
js text in status bar can push icons out of view |
-- |
RESOLVED |
| 130794 |
lock icon issue: no certificate or security info in pageinfo screen for https |
P1 |
VERIFIED |
| 131692 |
Overzealous address-autocompletion without possibility to correct address (no way of composing to email addresses which are similar to existing addresses in AB; can't remove or correct display name of first preselected matching contact result) |
-- |
VERIFIED |
| 132257 |
Inserting a link to a [network][image] file into a message inserts the physical file! |
-- |
VERIFIED |
| 132755 |
Add preference for automatic removal of completed files from Download Manager/downloads.rdf. |
-- |
VERIFIED |
| 133073 |
Active panel being loaded although sidebar is hidden |
-- |
VERIFIED |
| 134370 |
Moz displays my ftp password in 24-pt bold font |
P1 |
VERIFIED |
| 136054 |
DL manager doesn't observe history expire pref |
-- |
VERIFIED |
| 136782 |
"Send Page" should not put a link for file:/// URLs into the compose frame |
-- |
NEW |
| 141051 |
[RC 1.0 bug] New email window shows briefly old subject |
-- |
VERIFIED |
| 143220 |
[FIX]Script can get the value of a file control, including the path |
-- |
RESOLVED |
| 145579 |
Website can see url of page visited after it (document referer used when loading images with javascript is incorrect while loading a new page) |
P1 |
VERIFIED |
| 145780 |
Forwarding message with blank subject reveals mail server, user name, folder name |
-- |
VERIFIED |
| 146695 |
Mozilla send _content as referrer when loading something in the sidebar. |
-- |
VERIFIED |
| 147777 |
:visited support allows queries into global history |
P1 |
RESOLVED |
| 158463 |
Sites use iframes to bypass third-party cookie blocking |
P2 |
RESOLVED |
| 163551 |
Implement complete email address privacy |
P2 |
RESOLVED |
| 167475 |
[URL] Disable external and returning no data protocol handlers in all cases, excluding <A HREF=> |
-- |
VERIFIED |
| 175258 |
HTML Mail loads css stylesheet even if images and plugins are disabled |
-- |
RESOLVED |
| 177988 |
Storing persistent data (implicit cookie) with XUL |
-- |
RESOLVED |
| 178038 |
[RFE] allow for preference to override FQDN for message-id generation |
-- |
RESOLVED |
| 182045 |
Prefs->Privacy->History should offer to clear download manager |
-- |
RESOLVED |
| 182640 |
Privacy: window.open() in bookmark leaks URL of current page through (wrong!) referrer header |
-- |
RESOLVED |
| 184614 |
valgrind doesn't like nsDiskCacheBlockFile::WriteBlocks (uninitialized memory written to cache) |
-- |
VERIFIED |
| 186834 |
Removing POP account does not forget password |
-- |
NEW |
| 188175 |
Images are fetched when pressing Print even when remote images are off |
P3 |
RESOLVED |
| 188285 |
Form autocomplete should not store credit card numbers |
-- |
RESOLVED |
| 188955 |
CSS list item images are loaded even if image loading is blocked or disabled |
P2 |
RESOLVED |
| 195388 |
Clearing Download Manager History doesn't work |
-- |
VERIFIED |
| 199709 |
Remote images are loaded even if I check "Do not load remote images" in preferences |
-- |
VERIFIED |
| 200716 |
Cross server javascript used to circumvent cookies blocking |
-- |
RESOLVED |
| 202896 |
Cache-Control in Meta-Tag is ignored in xslt |
-- |
RESOLVED |
| 202910 |
Option to clear location bar typed-URL history automatically (on exit) |
-- |
RESOLVED |
| 205756 |
Compact folders should be enabled by default |
-- |
RESOLVED |
| 205821 |
Mozilla using wrong files after profile switch, causing information leaks |
-- |
RESOLVED |
| 206681 |
Need a way (pref) to stop attaching the images on Reply |
-- |
RESOLVED |
| 207990 |
browser.formfill.enable value ignored |
-- |
VERIFIED |
| 208821 |
Remove email address as anon. ftp password |
-- |
RESOLVED |
| 216596 |
No referrer (referer) options in Firefox's privacy or advanced panels |
-- |
RESOLVED |
| 216907 |
Save Page As "Web Page, complete" doesn't save favicon |
P5 |
RESOLVED |
| 218917 |
Allow login_name != email_address, so address isn't displayed (anti-spam effect too) |
-- |
RESOLVED |
| 219250 |
Printing e-mail with images, when image download is disabled, still prints images |
-- |
RESOLVED |
| 220370 |
Allow user to select which address book(s) to use for autocompletion (expose existing per-AB pref to include/exclude AB from auto-completing); prevent privacy issues when inactive/undesired addresses are autocompleted |
-- |
NEW |
| 222927 |
Password protection of mail accounts has problems |
-- |
RESOLVED |
| 224080 |
Ability to have master password for password store missing |
-- |
RESOLVED |
| 226548 |
Wrong http_referer sent when middle-clicking link from sidebar |
P2 |
RESOLVED |
| 231852 |
ETag: filtering to counter web tracking |
P3 |
RESOLVED |
| 233075 |
Password autofills in cleartext |
-- |
RESOLVED |
| 234680 |
Uninstall should give the option to remove profile data |
-- |
RESOLVED |
| 234700 |
deleting history entry doesn't remove it from history.dat |
-- |
RESOLVED |
| 235432 |
Mailnews/Thunderbird leaves unused nsqmail.tmp (nsqmail-*.tmp, nsemail.eml) files in temporary folder (TEMP or /tmp) after quit |
-- |
RESOLVED |
| 239223 |
[Meta] firefox.exe doesn't always exit after closing all windows; session-specific data retained |
-- |
RESOLVED |
| 241572 |
Drop file into HTML message body should not generate "file://" URL text |
-- |
NEW |
| 242956 |
Stored password is inserted into a readable text input on a second page |
-- |
RESOLVED |
| 243136 |
saved form data should expire after a time period defined by user |
-- |
RESOLVED |
| 243306 |
"Do not load remote images in Mail & Newsgroup messages" not reliable |
-- |
RESOLVED |
| 243885 |
To: field contains more than one whitespace after first colon when message sent without name |
-- |
RESOLVED |
| 245861 |
Firefox never delete temp files produced by drag and drop |
-- |
VERIFIED |
| 248853 |
thunderbird displays IFRAMEs when they're included in an html mail |
-- |
RESOLVED |
| 248970 |
Private Browsing mode (global toggle for saving/caching everything) |
-- |
VERIFIED |
| 251690 |
Client Certificate installs without notification (feedback) to user |
-- |
RESOLVED |
| 252486 |
Add option to disable saving form data on https websites |
-- |
RESOLVED |
| 253317 |
Provide hyphenation dictionary for justified text |
-- |
RESOLVED |
| 253331 |
Search bar's text should be cleared after a search is performed |
P5 |
NEW |
| 256510 |
Return receipts don't use Multiple identities |
-- |
VERIFIED |
| 257309 |
Return receipts should not reveal forwarded email addresses in headers |
-- |
NEW |
| 258185 |
Current referer sent when pressing shift-enter in location field |
P1 |
RESOLVED |
| 259091 |
Viewing email should not automaticaly open remote files via "iframe src='http:...FILE'" |
-- |
RESOLVED |
| 259532 |
talkback-public.mozilla.org is helping spammers by publishing valid email addresses |
-- |
VERIFIED |
| 260288 |
internal IP address (behind NAT rounter) is exposed by Java |
-- |
RESOLVED |
| 262759 |
Add SSL support to the Mozilla IRC network |
-- |
RESOLVED |
| 263213 |
Don't use I'm Feeling Lucky search when protocol (such as http:// or https://) specified |
P3 |
VERIFIED |
| 263216 |
links opened into new tab from ChatZilla pass the URL of the current tab as the http Referer |
P4 |
RESOLVED |
| 263220 |
Block remote images: Investigate ways of not whitelisting if From: address same as To: (forgery) |
-- |
NEW |
| 263290 |
view-source: protocol allows viewing "cache-control: no-store" pages that are no longer being displayed |
P3 |
NEW |
| 263345 |
Remote images not blocked when forwarding mail (inline) or replying |
-- |
RESOLVED |
| 265028 |
Clearing cache sometimes fails |
P1 |
RESOLVED |
| 266203 |
Calendar password displayed in clear txt |
-- |
RESOLVED |
| 267472 |
possibility to change HELO/EHLO string |
-- |
RESOLVED |
| 267645 |
Page can obtain path to Mozilla installation or possibly profile by examining JavaScript exceptions |
P3 |
RESOLVED |
| 270697 |
Autocomplete data leak |
-- |
VERIFIED |
| 271097 |
searchplugin auto update should ask user |
-- |
RESOLVED |
| 271405 |
Implement optional warning/confirmation prompt when sending bulk mail to many recipients without using BCC: [plenty/a lot/lots of To or CC recipients: suggest/propose using BCC instead] |
P2 |
RESOLVED |
| 271917 |
Bcc: and Cc: fall back to To: in compose window when double clicking a contact/email address/recipient/mailing list in contacts sidebar |
P3 |
NEW |
| 274875 |
despite being logged out of gmx.de going back in browser history shows content |
-- |
RESOLVED |
| 274889 |
Can't disable Thunderbird "show password" feature |
-- |
RESOLVED |
| 276677 |
Security: User's remote mailboxes and messages should become visible only after login |
-- |
RESOLVED |
| 278176 |
Remote server hits reading mail possible using news: (gopher no longer a problem) |
-- |
NEW |
| 278232 |
deleted search entries restored on browser restart |
-- |
RESOLVED |
| 279562 |
Copy and paste of an ftp link can reveal account/password |
P5 |
NEW |
| 280662 |
master password should (optionally) encrypt more data |
-- |
RESOLVED |
| 283521 |
Add security icon/button to the Chatzilla status bar. |
-- |
RESOLVED |
| 283619 |
JavaScript redirection contains the HTTP referer |
-- |
RESOLVED |
| 284086 |
"Sanitize on shutdown" fails if the last closed window is not a browser window |
-- |
RESOLVED |
| 285790 |
saved form information should be managed by master password |
-- |
RESOLVED |
| 286703 |
Password found in core file |
-- |
RESOLVED |
| 286888 |
Always make compacting folders automatic, with no UI |
-- |
NEW |
| 289897 |
huge memory leak when klipper is running |
-- |
RESOLVED |
| 290456 |
Clear plugin data in "clear private data"/"forget about this site" |
-- |
RESOLVED |
| 292589 |
[FIX]XBL load missing content policy check (Thunderbird not blocking remote content) |
P1 |
RESOLVED |
| 295922 |
Client Auth "select cert automatically" is considered a privacy issue |
P2 |
RESOLVED |
| 295994 |
Can store cookie-like information via xul persist attribute |
P3 |
RESOLVED |
| 296270 |
Default user agent on AIX contains machine information |
-- |
VERIFIED |
| 297278 |
Thunderbird should warn before sending passwords over plaintext protocols |
-- |
RESOLVED |
| 303754 |
Make false the default for "Allow remote images if the sender is in my [address book]" |
-- |
RESOLVED |
| 305462 |
"Clear Cache Now" doesn't clear bfcache |
-- |
RESOLVED |
| 307046 |
Autosave leaves ghost messages in drafts on cancelling compose |
-- |
VERIFIED |
| 307828 |
Information leak of file names being viewed from web pages |
-- |
NEW |
| 308483 |
clear search history option can be misleading, because it also doesn't clear history |
P3 |
RESOLVED |
| 308808 |
Web pages can detect which extensions are installed (CheckLoadURI call for <script> allows chrome: URLs) |
-- |
RESOLVED |
| 308940 |
Clear Private Data does not clear cookies on Mac |
-- |
RESOLVED |
| 309031 |
"Clear Private Data" only succeeds to remove cookies on the next startup |
-- |
RESOLVED |
| 311292 |
Can't specify download location of temp files on Mac |
-- |
RESOLVED |
| 311664 |
Clearing cookies via "Clear Private Data" doesn't update the Cookies Manager until it's reopened |
-- |
RESOLVED |
| 312036 |
history.dat contains entries deleted from the "date and site" view |
-- |
RESOLVED |
| 313856 |
Image properties show used password in clear text |
-- |
RESOLVED |
| 314755 |
sanitization at shutdown sometimes fails (resulting in a confirmation dialog for clearing private data when firefox starts) |
-- |
NEW |
| 315351 |
How spammers can identify your email without you doing anything. |
-- |
RESOLVED |
| 315625 |
When forwarding a message inline, Thunderbird strips inline-images |
-- |
RESOLVED |
| 316042 |
Clearing saved form history should clear text currently in the search bar |
-- |
RESOLVED |
| 316084 |
Migrated base64 suite passwords not encrypted when master PW added in Firefox |
P2 |
RESOLVED |
| 317260 |
Clear Private Data should use safe deletion (data scrubbing) |
P5 |
NEW |
| 317461 |
Microsoft/DigitalPersona Fingerprint Reader stopped working with 1.5RC3 |
-- |
RESOLVED |
| 319486 |
Empty Cache and Reset Camino don't clear site icon cache |
-- |
RESOLVED |
| 319649 |
"Reset Camino" should reset the last visited date on bookmarks, too |
-- |
RESOLVED |
| 320505 |
Not able to 'clear private data' if history is off (= "remember history for 0 days") |
-- |
RESOLVED |
| 320925 |
"Clear private data" (sanitize) feature should have an option to clear the last used download target directory name and path |
-- |
UNCONFIRMED |
| 321422 |
FRAMAKEY / Portable Thunderbird - informations of the accounts users stay on station of reception |
-- |
RESOLVED |
| 322169 |
Clear Private Data does not clear JS Console |
-- |
RESOLVED |
| 323966 |
Users expect clearing history to clear searchbar also |
P3 |
RESOLVED |
| 324354 |
Ctrl-Z (undo) reveals visited URLs AFTER clearing history |
-- |
RESOLVED |
| 324397 |
Third-party cookies should be blocked by default (flip the hidden pref) |
-- |
RESOLVED |
| 325435 |
In Camino, Google sets cookies although cookies are NOT allowed |
-- |
RESOLVED |
| 325458 |
Recipient Autocomplete: Nickname does not get highest precedence for matching address book entries, for searchphrase==nickname [To, CC, addressing field/area, toplisted, priority, results] |
-- |
RESOLVED |
| 325506 |
Ctrl-Z (undo) reveals visited URLs AFTER clearing history |
-- |
REOPENED |
| 325908 |
message pane downloads external linked .css urls even though images aren't downloaded. |
-- |
RESOLVED |
| 325929 |
Using calendar (0.2 based build) bypasses master password security in Thunderbird mail |
-- |
VERIFIED |
| 326111 |
Spotlight/virus checker interaction: Copies of cookies.txt remain after clearing cookies |
-- |
RESOLVED |
| 327738 |
Reset Camino doesn't reset minimized windows |
-- |
VERIFIED |
| 327818 |
0 days of history is still a lot |
P3 |
RESOLVED |
| 327819 |
Clearing history doesn't affect bookmarked items. |
-- |
RESOLVED |
| 328140 |
Integrate 0-filling patch into storage system |
-- |
RESOLVED |
| 328917 |
Mail Multiple Information Disclosure Vulnerabilities |
-- |
RESOLVED |
| 329741 |
history.dat, formhistory.dat, downloads.rdf should be deleted when the user clears private data |
P2 |
RESOLVED |
| 330332 |
Recognizable history in bookmarks_history.sqlite after being deleted |
P1 |
RESOLVED |
| 330443 |
privacy: loading remote xbl when replying or forwarding |
-- |
RESOLVED |
| 330578 |
(Shift+) delete in URL bar autocomplete list no longer persistent. |
-- |
VERIFIED |
| 330884 |
When different users on one system choose to save or not save passwords for sites, any other user can see sites they not only saved passwords for but can also see what other users have been saving/never saving passwords for. |
-- |
RESOLVED |
| 331652 |
store hashes instead of site name for sites for which you select "Never Save" |
P5 |
RESOLVED |
| 331804 |
InstallTrigger.getVersion() is allowed from unprivileged scripts |
-- |
RESOLVED |
| 331985 |
Don't save favicons when history is disabled. |
P2 |
RESOLVED |
| 332028 |
History URL domain blacklisting |
-- |
RESOLVED |
| 332536 |
Microsoft Fingerprint Reader no longer works for Firefox master password dialog (worked in Firefox 1.0.6) |
-- |
RESOLVED |
| 333591 |
Clear Private Data does not clear Saved Form Information |
P1 |
RESOLVED |
| 333832 |
Firefox didn't finish download websites, in combination with webwashers standard filter |
-- |
RESOLVED |
| 333907 |
XRE quits too abruptly when Windows is shut down |
P2 |
VERIFIED |
| 335163 |
Spotlight metadata folder is deleted and recreated on launch |
-- |
RESOLVED |
| 341035 |
Livemark service should delete annotations on livemark delete |
P2 |
RESOLVED |
| 341206 |
[Compact folders when it will save over] checkbox should be checked by default. |
-- |
RESOLVED |
| 341524 |
Make webapps session storage follow the cookie prefs |
-- |
RESOLVED |
| 341833 |
Engine metadata should be removed when a profile search plugin is removed |
P3 |
RESOLVED |
| 342612 |
training.dat leaks words in encrypted email |
-- |
NEW |
| 342801 |
third party cookies being accepted despite user's settings |
-- |
RESOLVED |
| 343212 |
Clear private data...>Browsing History should also clear the 'Undo Close Tab' history |
-- |
RESOLVED |
| 343999 |
window.home() incorrectly handles multiple home pages specified with | |
-- |
NEW |
| 344255 |
Bookmarks metadata (created/last accessed date) cannot be removed; privacy issue. |
-- |
RESOLVED |
| 345345 |
Session Restore remembers logins from session cookies |
-- |
RESOLVED |
| 345675 |
unwanted connection to www.google.com at startup with Safe Browsing disabled |
-- |
RESOLVED |
| 345989 |
add 'block cookies from this site' context menu to cookieviewer |
-- |
RESOLVED |
| 345993 |
Make the full Build ID more accessible to testers |
-- |
VERIFIED |
| 346927 |
drawImage corrupts transparent 24-bit PNGs with 1-bit-convertible alpha |
-- |
RESOLVED |
| 347852 |
reload leaks data from cache to end of page after hash collision in cache |
-- |
RESOLVED |
| 348601 |
permanent certificate error overrides not removed after using "clear recent history..." |
P5 |
RESOLVED |
| 350521 |
navigator.buildID leaks true version even when UA spoofed |
-- |
RESOLVED |
| 350785 |
Autocomplete / Form Manager stores element data even if Autocomplete is "off" |
-- |
VERIFIED |
| 351403 |
Reply to a forwarded message (.eml) should use correct identity |
-- |
RESOLVED |
| 352692 |
Inform users that saved passwords are not encrypted/secure (when master password is not used) |
-- |
RESOLVED |
| 356359 |
Username autocomplete dropdown showed part of my password |
-- |
RESOLVED |
| 356758 |
Temporarily suspend recording private data |
-- |
RESOLVED |
| 356808 |
Thunderbird silently ignores attachments if a file using the same name exists in moz_mapi folder (sends wrong / old / stale / previous version of attachment instead!) |
-- |
VERIFIED |
| 356919 |
After sending an e-mail with an attachment received by Thunderbird using SimpleMAPI, the temporary moz_mapi attachment file doesn't get automatically deleted, if the file has read-only attribute or is locked at the time of sending |
-- |
NEW |
| 358042 |
Session Restore restores session cookies (potential privacy problem for shared user accounts) |
-- |
RESOLVED |
| 358365 |
Private data not cleared on closing Firefox |
-- |
VERIFIED |
| 358739 |
history.dat file may not be empty even when history is deleted |
-- |
RESOLVED |
| 358878 |
Feed preview's request for favicon.ico should not send Referer |
P1 |
RESOLVED |
| 359479 |
Remote Images in iframes bypass remote content blocker |
-- |
RESOLVED |
| 360107 |
"Clear Private Data" dialog on exit too easy to miss (should appear earlier and/or time out) |
-- |
RESOLVED |
| 360381 |
site_icons cause uncached images to be loaded twice or thrice (if bookmarked) |
-- |
RESOLVED |
| 360572 |
deleting a previous search entry does not work if a search suggestion is shown |
P1 |
VERIFIED |
| 362570 |
Better UI/options for people who want to downgrade most cookies to session cookies but allow some to persist |
-- |
RESOLVED |
| 364972 |
[SessionStore] allow SessionStore to work without writing data to disk |
-- |
RESOLVED |
| 365279 |
Thunderbird allows setting master password when it's not enabled |
-- |
RESOLVED |
| 366572 |
[SessionStore] clearing private data doesn't clear sessionstore.js at exit |
-- |
RESOLVED |
| 366782 |
IMG tags in NNTP posts cannot be blocked |
-- |
RESOLVED |
| 366810 |
remember pages will not forget |
-- |
RESOLVED |
| 366945 |
middle-clicking on a page starts a load based on clipboard contents (on unix-like hosts) |
-- |
VERIFIED |
| 367372 |
Do not download images in newsgroups by default |
-- |
RESOLVED |
| 367428 |
resource:// directory traversal |
P1 |
RESOLVED |
| 368106 |
Query params sent when reporting a phishing site could contain sensitive info |
-- |
RESOLVED |
| 368255 |
shouldn't send Google's cookie with SafeBrowsing API requests (sandbox it instead) |
-- |
RESOLVED |
| 369875 |
I get spybots every time I use Firefox |
-- |
RESOLVED |
| 371360 |
[FIX]scripts can tailgate departing users with onUnload |
-- |
RESOLVED |
| 371375 |
[FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux) |
-- |
RESOLVED |
| 371482 |
Thunderbird respond invisible link |
-- |
RESOLVED |
| 373867 |
NSPR supports opening of UNC Paths, which can leak Windows OS Credentials |
-- |
RESOLVED |
| 374433 |
Firefox prints out a list of URIs to console when browser is started up |
-- |
RESOLVED |
| 375629 |
The annotations of an item (bookmark/folder) must be removed when the item itself is removed |
P2 |
RESOLVED |
| 376328 |
Prevent moz-icon: from referencing remote files |
-- |
RESOLVED |
| 376957 |
Prevent data leaks from cross-site JSON loads (JavaScript literals) |
P3 |
RESOLVED |
| 377117 |
use "cache timing" to detect whether the user has visited certain other sites |
P5 |
RESOLVED |
| 377630 |
Filename disclosure in /tmp - e.g. when saving attachments |
-- |
RESOLVED |
| 378046 |
Mail composition: opening/editing attached file sometimes unexpectedly opens/edits original file (only if attachment was added via TB OR drag-and-drop (non-MAPI) AND draft has never been closed yet): MAPI and non-MAPI behaviour should be consistent |
-- |
NEW |
| 380589 |
Clear Private Data might miss some SessionStore data |
-- |
RESOLVED |
| 380852 |
clear private data doesn't clear site-specific settings |
P1 |
VERIFIED |
| 380912 |
"Get me out of here" link doesn't handle pipe-delimited home page |
-- |
RESOLVED |
| 380994 |
Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk) |
P1 |
RESOLVED |
| 381006 |
external protocol handlers and privacy |
-- |
RESOLVED |
| 381264 |
XHR TRACK method (IIS) could be used to compromise Authorization and Cookie headers |
-- |
RESOLVED |
| 381266 |
Clicking Cancel multiple times on Master Password dialog finally unblocks login info |
-- |
RESOLVED |
| 381503 |
Using shift+delete to remove items from history in location bar appears to work but actually doesn't. |
-- |
RESOLVED |
| 381681 |
Form autocomplete information can be seen by evil sites convincing users to press arrow keys |
P3 |
REOPENED |
| 383014 |
Clear Recent History doesn't clear the moz_cache_groups table (part of offline cache) |
-- |
RESOLVED |
| 383209 |
Clear Private Data fails to clear stored passwords |
-- |
VERIFIED |
| 384207 |
Crash Reporter client should include a URL field |
P1 |
VERIFIED |
| 384524 |
Passwords still filled in on web sites after logged out of Software Security Device |
-- |
RESOLVED |
| 385605 |
URL passwords accessible from Flash or other plugins |
P3 |
RESOLVED |
| 385741 |
Want to be able to exclude sites from form autofill |
-- |
RESOLVED |
| 386005 |
passwords deleted from drop down menu in gmail.com apear to be deleted but are still saved |
-- |
VERIFIED |
| 386774 |
private data removal prompt upon browser closing not functioning |
-- |
RESOLVED |
| 388097 |
null-domain cookies possible (malicious cookie swapping) |
-- |
RESOLVED |
| 388239 |
Restart of Firefox after Yahoo mail signout = error saying Firefox did not close properly |
-- |
RESOLVED |
| 388313 |
Password manager should forget sort order on "Hide Passwords" if sort order was by password |
-- |
RESOLVED |
| 388969 |
sets cookie that exceptions shows to be blocked |
-- |
RESOLVED |
| 389126 |
Session Restore circumvents Clear Private Data |
-- |
RESOLVED |
| 391397 |
Need to clean up URLs before adding them to a crash report |
-- |
RESOLVED |
| 391806 |
Deleted Browser History is visible when typing a new URL |
-- |
VERIFIED |
| 392097 |
only showing 7 days of download history, until I search, then I see more items |
P1 |
VERIFIED |
| 392274 |
should _tzset on Win32 |
-- |
RESOLVED |
| 392571 |
email arriving in inbox inducing a popup showing the beginning of the message |
-- |
VERIFIED |
| 394651 |
Set "Accept cookies only from sites I visit" as default |
-- |
RESOLVED |
| 395399 |
Add white list of https servers for which client auth cert selection is automatic |
P3 |
RESOLVED |
| 395521 |
Privacy policy link not displayed for add-on featured at top of front page or on recommended list |
P4 |
RESOLVED |
| 395693 |
Ability to disable form manager (saving form information) for specific sites |
-- |
VERIFIED |
| 397082 |
A preference which allows to block cross domain referer data. |
-- |
RESOLVED |
| 397196 |
Clear private data does not clear last URL of Open Web Location dialog |
-- |
VERIFIED |
| 397427 |
[FIX]Stylesheet href property shows redirected URL unlike other browsers |
-- |
RESOLVED |
| 399324 |
Fetch missing intermediate certs (use AIA extension for incomplete cert chains) |
-- |
RESOLVED |
| 401296 |
docShell.allowPlugins not honored for direct links |
-- |
RESOLVED |
| 401811 |
Replace "Check by asking Google about each site I visit" with a more-frequent-update option |
-- |
RESOLVED |
| 401961 |
Get URIs of all windows/tabs |
-- |
RESOLVED |
| 402144 |
web-based content handlers could leak secure URIs |
-- |
NEW |
| 402152 |
web-based protocol handlers should strip out credentials, as per spec |
P2 |
RESOLVED |
| 402287 |
register{Protocol,Content}Handler should only be allowed from same host as handler |
P2 |
RESOLVED |
| 402398 |
data insecurity - winXP with more users -> also session restore for other users! |
-- |
UNCONFIRMED |
| 402730 |
Purge IMAP cache on exit for privacy |
-- |
NEW |
| 405620 |
Using middle-click for both "open link in new tab" and "paste" means pages can steal your clipboard contents |
-- |
RESOLVED |
| 405789 |
Private Data not cleared on shut-down |
-- |
RESOLVED |
| 406279 |
Changing Master Password Leaves Browser in Logged-In State |
-- |
NEW |
| 406848 |
change mail.prompt_purge_threshhold to true |
-- |
RESOLVED |
| 407582 |
Thunderbird doesn't respect primary email address of OS X address book when sending messages to a list |
-- |
NEW |
| 407910 |
clear site-specific preferences when clearing browser history |
P4 |
RESOLVED |
| 408076 |
out of bounds read in BMP decoder can lead to information disclosure |
P1 |
RESOLVED |
| 409624 |
FastFind not cleared when doing Clear private data |
-- |
RESOLVED |
| 409737 |
javascript.enabled and docShell.allowJavascript do not disable all event handlers |
-- |
RESOLVED |
| 409945 |
Charset annotations created on import should be itemAnnotations (was: Clear private data doesn't force smart bookmarks to rebuild) |
P2 |
RESOLVED |
| 410691 |
When blocking images from the context menu and undoing, an "allow" exception is added |
-- |
VERIFIED |
| 410794 |
temporary downloads no longer cleaned up at shutdown (read-only) |
-- |
VERIFIED |
| 411088 |
when deleting a tagged bookmark from the places organizer, the tag remains |
P2 |
VERIFIED |
| 411572 |
Unnamed attachments reveal full local paths when forwarded inline or edited as new |
-- |
RESOLVED |
| 412381 |
Clear Private Data should delete old signons.txt file(s). |
-- |
RESOLVED |
| 412525 |
[meta] Bugs that let sites tell whether you've visited another site |
-- |
RESOLVED |
| 413112 |
If helper application isn't available anymore downloaded temporary files aren't deleted on shutdown |
-- |
RESOLVED |
| 413689 |
FF3 doesn't clean up old FF2 session data |
-- |
RESOLVED |
| 414478 |
Clearing cookies should also clear Flash local storage |
-- |
RESOLVED |
| 415397 |
URLs with (un)escaped characters can't be deleted |
P3 |
RESOLVED |
| 415737 |
Tools->Options->Privacy->"Always Clear my private data when I close Firefox" leaves the most recently browsed url in the address history |
-- |
RESOLVED |
| 415944 |
Don't expose password text through A11y text interfaces |
P1 |
RESOLVED |
| 416356 |
Does not accept domain cookies issued by subdomains sites like bugzilla.mozilla.org cannot issue a mozilla.org cookie |
-- |
RESOLVED |
| 416893 |
Remove aria-secret |
-- |
RESOLVED |
| 417994 |
navigator object does not fully reflect user agent settings |
-- |
RESOLVED |
| 418119 |
nsIContentPolicy not called for external DTDs of XML documents |
P3 |
RESOLVED |
| 418321 |
Components do not expose disk interfaces |
P3 |
RESOLVED |
| 418986 |
window.screen and CSS media queries provide a large amount of identifiable information (Tor 2875) |
-- |
RESOLVED |
| 419117 |
Add noise to gethash requests |
P1 |
RESOLVED |
| 421180 |
When removing bookmarks existing keywords aren't deleted/removed |
-- |
VERIFIED |
| 421189 |
URIProperties/POSTData annotations have not been removed correctly, so pages are not deleted from places history |
-- |
RESOLVED |
| 421494 |
reimplement third party cookie blocking |
P1 |
RESOLVED |
| 421823 |
Cookie blocking non-functional for asset fetches in page headers |
-- |
RESOLVED |
| 421980 |
Deleting some addresses in the history of the address bar doesn't work sometimes |
-- |
RESOLVED |
| 422548 |
After Clear Private Data, some history still appear in the location bar due to bogus EXPIRE_NEVER annotations |
P2 |
VERIFIED |
| 422944 |
Allow turning off bookmark searching in address bar |
-- |
RESOLVED |
| 423154 |
off-by-one error for browser.bookmarks.max_backups |
P2 |
VERIFIED |
| 423266 |
Address bar dropdown remembers recently visited URLs even though history has been cleared |
-- |
VERIFIED |
| 423960 |
regression: disabling history remembers visits |
P1 |
VERIFIED |
| 424373 |
remove a search engine will not remove its associated keyword |
-- |
RESOLVED |
| 424538 |
Updater.exe should be signed to make it compatible with Vista UAC |
-- |
RESOLVED |
| 424900 |
firefox freezes while I am in bookmarks, while approve each cookie is on |
P2 |
RESOLVED |
| 425819 |
Extensions circumvent disabled cookies |
-- |
RESOLVED |
| 429070 |
exposing Components.interfaces to untrusted content leaks information about installed extensions |
-- |
RESOLVED |
| 429402 |
Oddness with remembered zooming with frames |
-- |
REOPENED |
| 429846 |
Copy and Paste breaks mail-internal links <a href="#anchor"> (private profile links get sent, broken) |
-- |
NEW |
| 430779 |
When I pressed the clear private history tab I expected the history to be deleted |
-- |
RESOLVED |
| 431155 |
sessionstore.js should be deleted or bypassed when "clear private data" is used |
-- |
RESOLVED |
| 431345 |
Google search causes first result to be requested and with HTTP_REFERER [prefetching] |
-- |
RESOLVED |
| 431547 |
FATAL FLAW IN SESSION RESOTRE BYPASSES SECURITY |
-- |
RESOLVED |
| 431782 |
HTTP redirects can bypass content policies |
-- |
NEW |
| 432197 |
search history comes back after deletion |
P2 |
VERIFIED |
| 433975 |
delete sessionstore.js when starting a new session |
-- |
RESOLVED |
| 434457 |
Logout-Button doesn't work. (passwords) |
-- |
NEW |
| 435159 |
nsNSSCertificateDB::DeleteCertificate has race conditions |
-- |
RESOLVED |
| 435416 |
Privacy evaluation: places.sql leaves traces of visited URLs |
-- |
RESOLVED |
| 435418 |
privacy evaluation: privacy tool does not clear downloads.sqlite |
-- |
RESOLVED |
| 435670 |
Existing cookies leak when using the "Ask Every Time" option and choosing "Deny". |
-- |
RESOLVED |
| 437925 |
Flash Music Keeps Playing when window was closed |
-- |
RESOLVED |
| 439237 |
Privacy concern with respect to content-prefs.sqlite file |
-- |
RESOLVED |
| 439263 |
Messages deleted from Drafts or Junk folders are permanently retained in the respective MBOX file |
-- |
RESOLVED |
| 441751 |
Directives not to cache pages ignored. |
P1 |
RESOLVED |
| 442526 |
Remote content in e-mails is blocked even if explicitly allowed for a message when "Accept all images" is not selected |
-- |
NEW |
| 442885 |
Recently visited Sites are Not cleared from Address bar, after clearing History. |
-- |
RESOLVED |
| 443337 |
Cookie "Exceptions" Should Not Take Precedence Over "Accept third-party cookies" |
-- |
RESOLVED |
| 443354 |
"Save and Quit" tabs should not save session cookies of to-be-restored tabs |
-- |
VERIFIED |
| 444004 |
When sending to an OS X mailing list, contacts should be in BCC and not TO fields |
-- |
VERIFIED |
| 445164 |
Cookies not securely deleted from cookies.sqlite |
-- |
RESOLVED |
| 445704 |
JSON bookmarks backup has localized filename (and can't be easily restored) |
P1 |
VERIFIED |
| 446205 |
Remove contentaccessible from Firebug chrome.manifest |
-- |
RESOLVED |
| 446261 |
Clear Private Data should also reset last directory saved to |
P5 |
NEW |
| 446537 |
Show password should be disabled if no master password is set |
-- |
RESOLVED |
| 446700 |
location bar stores urls visited but not bookmarked even after all private data is cleared |
-- |
RESOLVED |
| 448372 |
Sensitive cookie data remains readable and on disk in cookies.sqlite after "Clear Private Data" and "Remove All Cookies" |
P1 |
RESOLVED |
| 448743 |
Decouple general.useragent.locale from spoofing of navigator.language |
-- |
RESOLVED |
| 448965 |
Can not Delete History |
-- |
RESOLVED |
| 449703 |
[1.8 branch] XBM appears to draw uninitialized memory |
-- |
VERIFIED |
| 449981 |
storage UI should look and act alot like cookie UI |
-- |
RESOLVED |
| 450314 |
use a special tag to block results from the awesomebar |
P2 |
RESOLVED |
| 451544 |
Clear private data function (man+auto) does NOT clear the visited sites in the drop down list |
-- |
RESOLVED |
| 452241 |
Blocked pictures are loaded when you go on "answer" or "forward" |
-- |
RESOLVED |
| 452639 |
Saved password shows up after switching to another tab and back |
-- |
RESOLVED |
| 454908 |
sessionstore.js stores contents of password fields in plaintext |
-- |
VERIFIED |
| 456210 |
URL containing password is kept when you enter a cPanel |
-- |
RESOLVED |
| 456955 |
Password shown in plain text and saved plain in History |
-- |
RESOLVED |
| 457195 |
nsSessionStartup::state not cleared with history |
-- |
RESOLVED |
| 458849 |
transition download visits saved when "Keep my history..." is unchecked. |
P2 |
VERIFIED |
| 460608 |
Download of temporary files for helper applications are stored in downloads.sqlite while private browsing is active |
-- |
RESOLVED |
| 460609 |
Temporary files for helper applications are not deleted when leaving Private Browsing mode |
-- |
VERIFIED |
| 460689 |
Temporary files on OS X are no longer deleted on shutdown with browser.helperApps.deleteTempFileonExit set to true |
-- |
RESOLVED |
| 461204 |
Boundary delimiter for HTTP file posts is static. That is wrong according to RFC. |
-- |
RESOLVED |
| 461625 |
Hide the UI for saving permission manager entries in Private Browsing mode |
-- |
VERIFIED |
| 461627 |
Hide the UI for saving certificate exceptions permanently in Private Browsing mode |
-- |
VERIFIED |
| 461710 |
Write an automated test to ensure that visited link coloring is turned off in private browsing mode |
-- |
RESOLVED |
| 461747 |
Enable bypassing the private browsing mode in the Places module |
-- |
RESOLVED |
| 461748 |
Enable bypassing the private browsing mode in the Satchel module |
-- |
RESOLVED |
| 461749 |
Enable bypassing the private browsing mode in the Download Manager module |
-- |
RESOLVED |
| 461750 |
Enable bypassing the private browsing mode in the Satchel module (search history) |
-- |
RESOLVED |
| 461755 |
Error console should be cleared when leaving the private browsing mode |
-- |
VERIFIED |
| 462106 |
Clear the data copied to clipboard inside the private browsing mode after leaving it |
P2 |
VERIFIED |
| 462218 |
Read the sessionstore data from the disk instead of keeping it in memory when saving the session for private browsing mode |
P3 |
RESOLVED |
| 462639 |
Handle view-source windows in Private Browsing mode |
P3 |
RESOLVED |
| 463202 |
Search engine box should be cleared when leaving the private browsing mode |
-- |
VERIFIED |
| 463471 |
temp tables are not correctly synced to disk when the user clear private data on shutdown |
P1 |
RESOLVED |
| 463607 |
Interaction of Clear Recent History dialog and the private browsing mode |
P3 |
NEW |
| 463692 |
Clear the findbar text when leaving the private browsing mode |
-- |
VERIFIED |
| 463863 |
Download history not shown in Places history |
P2 |
VERIFIED |
| 463888 |
Do not persist the "Save As" location in private browsing mode |
-- |
VERIFIED |
| 463893 |
always load remote images should not be based on sender's email address - use smtp server from which the message originates or on the server serving the images |
-- |
RESOLVED |
| 464071 |
User tracking via Math.random output and multipart/form-data boundary string |
-- |
RESOLVED |
| 464414 |
Firefox's User-Agent string is a privacy hazard when locales and Operating Systems with limited number of users are involved |
-- |
RESOLVED |
| 464417 |
Forget About this Site doesn't close open tabs |
P3 |
NEW |
| 464792 |
Exit Private Browsing mode when all windows are closed |
-- |
RESOLVED |
| 468063 |
Deleted passwords (and bookmarks) return after upgrade |
-- |
RESOLVED |
| 469961 |
"Clear my private data when I close Firefox" does not clear anything |
-- |
VERIFIED |
| 470188 |
Maintains visited pages history even though option is turned off |
-- |
RESOLVED |
| 470348 |
clear private data on shutdown does not delete history if "ask me before..." is enabled |
P2 |
VERIFIED |
| 471906 |
Login manager's onblur handler shouldn't do anything when the username is blank |
-- |
VERIFIED |
| 472062 |
Need a way to view and edit saved form data (like for passwords) |
-- |
RESOLVED |
| 472421 |
turn off full-hash caching when in private mode |
P5 |
RESOLVED |
| 473429 |
If Private browsing mode is started from a window-less state, stop PB mode should not restore the last session |
P3 |
VERIFIED |
| 474824 |
Firefox socks system proxy configuration broken w/ socks_remote_dns |
-- |
RESOLVED |
| 475585 |
Re-seed Math.random() for each window/frame/context |
-- |
RESOLVED |
| 475881 |
Private browsing mode warning doesn't mention that newly-installed client certificates are not cleared when exiting private browsing mode |
P3 |
NEW |
| 476463 |
Cookies set onunload of page are retained on exit/enter of PB mode |
P1 |
VERIFIED |
| 478218 |
onQuit expiration is not working, changes are never synced to disk |
P2 |
RESOLVED |
| 478888 |
Session restore can be misused in public places like internet cafe, office, college etc., |
-- |
RESOLVED |
| 479668 |
Dropping "Most Visited" of Bookmark Toolbar to Search bar causes privacy disclosure |
-- |
RESOLVED |
| 481503 |
do DNS prefetch for awesomebar matches |
P3 |
RESOLVED |
| 482967 |
Tools->Clear Private Data sometimes does not clear browsing history, cache and cookies |
-- |
RESOLVED |
| 483608 |
Disable Forget This Site in Private Browsing mode for Firefox 3.5 |
P1 |
VERIFIED |
| 484439 |
Is it safe to turn off private browsing while in autostart mode? |
-- |
RESOLVED |
| 486501 |
edit an address after autocomplete and autocomplete reselects the first choice, even reverts to a different address (involving quoted "Display Name") |
-- |
RESOLVED |
| 488162 |
DNS prefetch leaks information because it doesn't honour network.proxy.socks_remote_dns |
P2 |
RESOLVED |
| 488181 |
simplify code for exposing plugin paths/names |
-- |
RESOLVED |
| 488801 |
Clear Recent History doesn't provide feedback when one of the items fails to clear |
P3 |
RESOLVED |
| 488811 |
nsIPermissionManager.removeAll() should delete DB and re-init rather than just bailing. |
-- |
RESOLVED |
| 489754 |
Profiles mix settings |
-- |
RESOLVED |
| 490354 |
Closed tabs should not be able to be restored in Private Browsing mode |
-- |
RESOLVED |
| 490879 |
Pasting images into rich text editors creates temporary moz-screenshot.jpg, and therefore, does not work on the web (should use embedded <img src="data: URI"> instead) |
-- |
VERIFIED |
| 491732 |
add "Share Location" to Page Info > Permissions to redo/undo "always remember this choice" for geolocation preference |
P2 |
VERIFIED |
| 491759 |
Clear geolocation token when exiting private browsing |
P2 |
RESOLVED |
| 491761 |
Site loads in the background somehow? |
-- |
RESOLVED |
| 491810 |
Geolocation "cookie" isn't cleared at exit for network.cookie.lifetimePolicy == 2 |
-- |
RESOLVED |
| 492196 |
Make DNS-Prefetching subject to user-defined policies |
-- |
RESOLVED |
| 493062 |
Highlight/delete multiple site containers in history sidebar only deletes first one |
-- |
RESOLVED |
| 493124 |
Deleting a closed page in history does not delete its instance as a recently closed tab |
-- |
NEW |
| 493151 |
Privacy risk when clearing history in combination with private browsing |
-- |
RESOLVED |
| 496123 |
the last download directory from private browsing persists as the initial directory for the filepicker after stopping private browsing |
-- |
VERIFIED |
| 496561 |
nsIBrowserHistory.removeAllPages does not fully clear browsing history |
-- |
RESOLVED |
| 496595 |
Privacy leak in "remember for this site" permission of geolocation - persists outside of private browsing |
-- |
VERIFIED |
| 497717 |
User preference for Default Session on Start Up is not respected by Private Browsing Mode on Re-Start |
-- |
RESOLVED |
| 498648 |
Start private browsing while editing a message, cancel, doesn't cancel private browsing |
P2 |
VERIFIED |
| 499733 |
Open Web Location dialog leaks URL/search entered in private browsing mode |
-- |
VERIFIED |
| 503220 |
The update.locale file is readable from script via resource:/// |
-- |
RESOLVED |
| 503228 |
Unhandled error from BrowserFeedWriter close() method reveals installation path |
-- |
RESOLVED |
| 503456 |
Unknown protocol alerts are suppressed when wrapped with jar: |
P5 |
RESOLVED |
| 504330 |
Contacts Sidebar hijacks Ctrl+A keybinding in Compose window on MacOS (instead of moving cursor, unexpectedly adds selected contacts as recipients) |
-- |
NEW |
| 504795 |
Page Shows up in Print History |
-- |
NEW |
| 507541 |
Selected text from unrelated message is quoted when right-click replying to another message, cunningly with correct attribution line |
-- |
RESOLVED |
| 507578 |
disable DNS prefetching when PAC or WPAD is used |
-- |
RESOLVED |
| 508052 |
TB sometimes reuses stale attachment when sending same file several times |
-- |
RESOLVED |
| 508068 |
Flash cookies remembered outside Private Browsing |
-- |
VERIFIED |
| 508950 |
Saved passwords for a site deleted after log in to the site using the user name and password described and in turn, logs out |
-- |
RESOLVED |
| 511207 |
last page not removed from history upon close of browser |
-- |
RESOLVED |
| 511933 |
Implement chrome-only cookies |
-- |
RESOLVED |
| 512717 |
Dropping a file into a contenteditable area discloses the file's full path to the page |
-- |
RESOLVED |
| 513421 |
Never remember history option should notify the user that previous history won't be removed |
P3 |
NEW |
| 514214 |
Do not update page titles for places already in history inside the Private Browsing mode |
P2 |
RESOLVED |
| 515463 |
new async autocomplete does not always respect behavior pref changes |
P2 |
VERIFIED |
| 516232 |
[faceted search] Deleted for good/expunged messages are shown in search results |
-- |
RESOLVED |
| 516465 |
Adaptive results aren't filtered |
P2 |
RESOLVED |
| 516481 |
Bug with Clearing Form History |
-- |
RESOLVED |
| 517316 |
Opening non-hyperlinked URLs (using context menu) should not send referrer |
-- |
NEW |
| 517736 |
keyword.enabled is true by default, should be false to protect privacy |
-- |
RESOLVED |
| 518343 |
Clear Recent History should clear Certificate Exceptions when "Site Specific Settings" is checked |
P3 |
RESOLVED |
| 518601 |
Troubleshooting Information page should not allow copy-and-paste of the profile directory. |
P2 |
VERIFIED |
| 519077 |
Add a whitelist+blacklist for the modified prefs list on about:support |
-- |
RESOLVED |
| 522309 |
filter out access points that do not have SSIDs |
P2 |
RESOLVED |
| 523336 |
User Identification Request-Dialog's "remember this decision" remembers the wrong certificate |
-- |
RESOLVED |
| 524281 |
Displaying a feed message (web page mode) that uses script to redirect a different url results in passing the url to the default browser. |
-- |
REOPENED |
| 524874 |
Attaching Windows shortcuts (.lnk files) *via drag and drop* lies about file size and type and creates useless attachments (original file with .lnk extension) |
-- |
NEW |
| 524899 |
Firefox should ask for master password when viewing list of sites for which passwords are saved |
P5 |
RESOLVED |
| 526731 |
location bar undo buffer not cleared when leaving private browsing mode |
-- |
RESOLVED |
| 527311 |
Addressbar suggests adaptive results regardless of requested behavior |
-- |
RESOLVED |
| 527463 |
Update checks for lightweight themes should not happen for non-whitelisted sites |
-- |
RESOLVED |
| 527667 |
DOM Storage (localStorage, sessionStorage) data is not cleared when "Clear Recent History" is used with Time range not "Everything" |
P1 |
RESOLVED |
| 528416 |
Download Directory Persists After "Clear Recent History" |
-- |
RESOLVED |
| 529419 |
deleting tree item 'Older than 6 months' |
-- |
RESOLVED |
| 529899 |
Session Restore needs to honor "Keep cookies until I close Firefox" in a clean shut-down |
-- |
RESOLVED |
| 530173 |
Possible privacy leak with full-screen playing videos on exit on Private Browsing |
-- |
RESOLVED |
| 530235 |
Windows "Recent Documents" and Privacy (private browsing, clear recent history) |
-- |
RESOLVED |
| 530594 |
Session restore can result in excessive session cookie lifespan |
P3 |
NEW |
| 530637 |
Private session restored if browser crashes inside the private browsing mode |
-- |
RESOLVED |
| 532982 |
mail composed with bcc: recipients only, and sent via "Send Later" or with mailnews.sendInBackground=true can disclose bcc: recipients |
-- |
RESOLVED |
| 535439 |
upgrading to Thunderbird 3.0 turns on "always return acknowledgement receipts" without user knowledge |
-- |
RESOLVED |
| 535976 |
Unwanted DNS queries when opening mail, potential privacy issue |
-- |
RESOLVED |
| 536081 |
Can't delete all history entries returned by a search in Library or Sidebar |
-- |
RESOLVED |
| 536509 |
localStorage does not obey "third-party cookies" pref |
P3 |
RESOLVED |
| 536567 |
Store the value of the per-site last file upload directories inside the memory while private browsing is active |
-- |
RESOLVED |
| 537922 |
Viewing bookmark properties causes HTTP retrieval |
-- |
RESOLVED |
| 539296 |
Does registerProtocolHandler() violate Private Browsing mode? |
-- |
RESOLVED |
| 541911 |
Clear History doesn't cleanup livemarks children favicons |
-- |
RESOLVED |
| 542674 |
Support downloading Intermediate CA certificates by following URLs within an AIA/CAIssuers extension |
-- |
VERIFIED |
| 543006 |
Deleting History, Cookies causes all entries in the exception cookie list to be deleted too. |
-- |
RESOLVED |
| 543766 |
Disabling 3rd Party Cookies breaks microsummary generation |
-- |
RESOLVED |
| 543922 |
Strip usernames and passwords (and sanitize file://) in URLs submitted with crash reports |
-- |
RESOLVED |
| 544452 |
nsIGlobalHistory2::isVisited() should know the origin of the document |
-- |
RESOLVED |
| 544745 |
DNS Prefetch security issue: Information leak |
-- |
RESOLVED |
| 545069 |
web site is able to retrieve my name and email address upon loading up its own page |
-- |
RESOLVED |
| 545393 |
DNS Prefetch security issue: Information leak |
-- |
VERIFIED |
| 547490 |
mail.password_protect_local_cache does not protect cache when set to true, mails/messages in thread pane are visible/displayed and can be viewed/accessed |
-- |
RESOLVED |
| 549459 |
Permission denied exception string way too descriptive |
P1 |
RESOLVED |
| 549697 |
Add click-to-start form of disabled plugins (Add-on manager) |
-- |
VERIFIED |
| 550122 |
Clear recent history set to "everything" is restored after restarting browser |
-- |
RESOLVED |
| 550293 |
plugin-crashed UI needs more user opt-in |
-- |
RESOLVED |
| 552124 |
"undo history" in urlbar exposes urls visited while in private browsing |
-- |
RESOLVED |
| 553406 |
Crash reporter can leak info from Private Browsing mode |
-- |
NEW |
| 557598 |
Support strict-transport-security (STS) in private browsing mode |
-- |
RESOLVED |
| 560131 |
Password-protected profiles |
-- |
RESOLVED |
| 562644 |
Ensure correct Places shutdown sequence and avoid sync expiration stuff. (Clear locationbar history on shutdown) |
-- |
VERIFIED |
| 562917 |
[meta] implement captive portal detection |
P3 |
RESOLVED |
| 563145 |
"Clear Recent History" doesn't work for me |
-- |
RESOLVED |
| 563595 |
No button to delete local synchronized mail only |
-- |
NEW |
| 564145 |
Provide opportunity to abort retrieval for "leave an encrypted page for one that isn't encrypted" |
-- |
RESOLVED |
| 564690 |
Information leak in security exception allows user tracking, phishing |
-- |
RESOLVED |
| 565561 |
Include option to delete Flash cookies |
-- |
RESOLVED |
| 565670 |
Information disclosure when using notifications and xscreensaver |
-- |
REOPENED |
| 565740 |
Clear the chrome search field input when navigated away from the results page, and make it tab-specific |
P5 |
NEW |
| 565768 |
Let people nuke individual entries in the AwesomeBar directly from it |
-- |
RESOLVED |
| 566010 |
Remove the ability to create bookmarks while in private browsing mode |
-- |
RESOLVED |
| 566423 |
Consider standardizing/normalizing navigator.plugins (browser fingerprinting) |
-- |
RESOLVED |
| 566827 |
Privacy Leak: Windows 7 Jump List ignores "Clear history when Firefox closes" setting |
-- |
VERIFIED |
| 567308 |
Test Pilot needs to clean up after itself; delete old prefs and data |
P1 |
RESOLVED |
| 568373 |
Private browsing saves the path of Uploaded files in Gmail |
-- |
RESOLVED |
| 568564 |
Suppress the script filename for cross-origin error events (SA39925) |
-- |
RESOLVED |
| 572650 |
[meta] Reduce the amount of data and entropy sent out in HTTP requests |
P5 |
NEW |
| 572652 |
Remove the Accept-Charset header from HTTP requests |
-- |
VERIFIED |
| 572659 |
Don't expose the Gecko patch level (13.X.Y) in the UA string, only show the major version (13.X) |
-- |
VERIFIED |
| 572661 |
Don't expose the Gecko build date in the UA string |
-- |
RESOLVED |
| 572665 |
Make the UA string of non-Firefox-branded builds say "Firefox" |
-- |
RESOLVED |
| 572667 |
Remove the Accept-Language header from HTTP requests and the accompanying UI from prefs |
-- |
RESOLVED |
| 573150 |
crash reporter inadvertently sends IE cookies to crash submission URL |
-- |
RESOLVED |
| 575007 |
When using the HTC Sense Keyboard on password boxes text suggestions appear |
-- |
VERIFIED |
| 576621 |
clearing cache does NOT clear cached images |
-- |
RESOLVED |
| 576731 |
IMAP folder synchronization and global indexer should be opt-in for privacy reasons |
-- |
RESOLVED |
| 577221 |
Firefox doesn't remember "submit crash report" check box |
-- |
RESOLVED |
| 577512 |
(more) cross-domain information leakage with Math.random() |
-- |
RESOLVED |
| 577685 |
Do not allow adding search engines during private browsing mode |
-- |
RESOLVED |
| 577689 |
Do not store intermediate CAs in private browsing mode |
-- |
RESOLVED |
| 579334 |
Async visits are ignoring a disabled history |
-- |
RESOLVED |
| 579358 |
Repainting of form controls(input type=file") fails intermittently when I close menupopup(App button menu and contentarea context menu etc.) which overlapped with the control each other, when disabled D2D and D3D9 |
-- |
RESOLVED |
| 580099 |
Prefetch DNS for hosts needed during startup |
-- |
RESOLVED |
| 580374 |
Async visits could be handled after a sync API that removes pages (like clearHistory) |
-- |
RESOLVED |
| 580892 |
Checking 'clear history when minefield closes' is not clearing cache on shutdown but on startup |
-- |
VERIFIED |
| 581008 |
Remove support for appending arbitrary data to the User Agent string |
-- |
RESOLVED |
| 581193 |
button[type="menu-button"] looks like a dropdown, but acts like a button |
-- |
RESOLVED |
| 581515 |
dragging attachment from received message to compose window can attach the wrong file |
-- |
NEW |
| 583175 |
Add a security delay to the main action of PopupNotifications |
-- |
RESOLVED |
| 583181 |
Don't reveal navigator.buildID to every site on the web |
P3 |
RESOLVED |
| 583886 |
Nuke or nerf history.length |
-- |
RESOLVED |
| 586885 |
show search suggestions when entering text in awesome bar |
P3 |
VERIFIED |
| 587523 |
Protect path of HTTP Referer Header when in Private Browsing |
P2 |
VERIFIED |
| 593174 |
Referrers/origins broken and spoofable via cross-window location manipulation |
-- |
RESOLVED |
| 594537 |
opener.location allows tracking user's browsing |
-- |
RESOLVED |
| 595178 |
Dismissed "Remember password?" notification sticks around for too long |
-- |
RESOLVED |
| 595207 |
E4X function:: namespace allows recognizing user despite clearing private data |
-- |
RESOLVED |
| 595307 |
IndexedDB: third-party checks |
-- |
RESOLVED |
| 596976 |
add bookmark dialog behaves as if clicked okay when clicked outside |
-- |
RESOLVED |
| 597129 |
Web page can steal paste text. Textbox in web page is changed to pasted text temporarily when execute "Paste & Go" or "Paste & Search" command. |
-- |
RESOLVED |
| 598925 |
Prevent obnoxiously persistent cookies (forevercookie) |
-- |
RESOLVED |
| 599294 |
Let me confirm/pref HTML5 storage for sites |
-- |
NEW |
| 599724 |
Tracking bug to treat "localStorage cookies" the same way as http cookies |
P3 |
RESOLVED |
| 600025 |
CSS timing attack on global history still possible with MozAfterPaint |
P3 |
VERIFIED |
| 600881 |
Able to copy password from password manager without entering master password |
-- |
RESOLVED |
| 600982 |
Clear DOM storage entries for a domain when using the Forget about this site feature |
-- |
RESOLVED |
| 601526 |
XSS Exploit allows for Geolocation Stealing |
-- |
RESOLVED |
| 601527 |
CSS Exploit allows for Privacy Invasion |
-- |
RESOLVED |
| 602199 |
Eliminate cached console data when moving in and out of Private Browsing |
P1 |
RESOLVED |
| 605658 |
Home page settings are revealed in about:support but should be hidden unless needed for support |
P5 |
NEW |
| 606403 |
Forget About this Site doesn't purge entries in session history |
P3 |
ASSIGNED |
| 610252 |
Disabling geolocation in about config does not prevent geolocation |
-- |
RESOLVED |
| 611112 |
Default location in the start page message area reveals information and is susceptible to DNS hijacking |
-- |
RESOLVED |
| 611168 |
Improve private browsing mode's entry text |
-- |
RESOLVED |
| 612242 |
Cookies are not filterable based off of name |
-- |
RESOLVED |
| 614116 |
Insecure sites may modify existing secure items in globalStorage when in PB or SO-cookies mode |
-- |
RESOLVED |
| 615711 |
CSP reporting exposes the presence of add-ons that inject certain elements in the DOM |
P2 |
RESOLVED |
| 616619 |
Autocomplete allows sites to see what other sites a user has visited and possible data as well |
-- |
NEW |
| 618311 |
Inspect Network Request window persists on close of Web Console - PB data leak |
-- |
VERIFIED |
| 620090 |
Disappearing attachments when some deleted from list of 9 or so |
-- |
RESOLVED |
| 620853 |
Holding Ctrl+Enter a little too long causes unintentional confirmation of "Send Message?" prompt, and sends multiple copies of the message - only plain Enter (without modifier key) should confirm the prompt |
-- |
NEW |
| 623198 |
Improve UI to workaround scam detection generating too many false positives |
-- |
RESOLVED |
| 627239 |
Don't store thumbnails for cache:control:no-store pages |
P1 |
RESOLVED |
| 627432 |
simple-storage store not purged when add-on is uninstalled |
-- |
RESOLVED |
| 627472 |
Change values for sessionstore.privacy_level_deferred to not save secure session cookies |
-- |
VERIFIED |
| 627686 |
Thunderbird sends Spam information in email header |
-- |
RESOLVED |
| 628043 |
The last closed window is restored when a secondary window is left open and a new browser window is opened |
-- |
VERIFIED |
| 628642 |
Information leakage - Firefox 3.6.13 stores private information of https-session in browser cache/history |
-- |
RESOLVED |
| 628747 |
SVG-as-an-image shouldn't be able to load external resources (which might come from other domains) (including same-origin resources, which could be using an open redirector) |
-- |
RESOLVED |
| 629858 |
strict warning "function f does not always return a value" can cause buffer overreads |
-- |
RESOLVED |
| 632127 |
Recipient autocomplete angle brackets characters (doe >> John Doe <john@asdf.com>) remain in recipient field and get sent with message header (when clicking send without manually confirming autocomplete) |
-- |
RESOLVED |
| 633644 |
nsUrlClassifierDBServiceWorker::GetLookupFragments returns duplicate fragments in some cases |
-- |
RESOLVED |
| 633773 |
Use Google's HTTPS search by default |
-- |
RESOLVED |
| 634257 |
nsUCS2BEToUnicode fails to adhere to the API contract when given a buffer with one byte |
-- |
RESOLVED |
| 635439 |
Remove doorhanger key icon when "Not now" is selected in Password Save doorhanger |
-- |
RESOLVED |
| 637482 |
Broken Link to Privacy Policy: 404 Page Not Found |
-- |
VERIFIED |
| 639722 |
Provide UI for opting out of sending add-on information to the discovery pane |
-- |
RESOLVED |
| 639968 |
Add checkbox to Software Installation preferences to opt out of personalized add-on recommendations |
-- |
RESOLVED |
| 640033 |
Add checkbox to Security or Advanced preferences to opt out of personalized add-on recommendations |
-- |
RESOLVED |
| 640745 |
Avoid sending client certificates in the clear in TLS handshakes when possible |
-- |
RESOLVED |
| 644020 |
Client cert dialog should indicate whether cert will be sent in the clear or encrypted |
P5 |
NEW |
| 644998 |
Session should not be restorable after "Clear Recent History" |
-- |
RESOLVED |
| 645080 |
[adbe 2834581] Per-site clearing of Flash Player LSOs should get hooked up to the privacy pane |
-- |
RESOLVED |
| 645683 |
Remove "Do you want to enable auto-update" prompt for CRL import |
-- |
RESOLVED |
| 648064 |
Application cache should not bother user |
-- |
RESOLVED |
| 648186 |
HSTS can be used as a tracking mechanism analogous to cookies |
-- |
RESOLVED |
| 648654 |
Add user-visible pref for Do Not Track |
-- |
VERIFIED |
| 648941 |
Starting private browsing: keep-alive http connections are not terminated |
-- |
VERIFIED |
| 650280 |
Switching from Private Browsing to Normal Browsing keeps search strings while in Panorama |
-- |
RESOLVED |
| 650409 |
Provide users with the ability to disable third party localstorage |
-- |
RESOLVED |
| 650827 |
Implement the Right to Be Forgotten on Thunderbird's mail headers |
-- |
UNCONFIRMED |
| 651276 |
Problem with master password |
-- |
RESOLVED |
| 652002 |
Clear Recent History must clear OCSP cache when "Site Specific Settings" is checked |
P3 |
NEW |
| 652003 |
Clear Recent History must clear intermediate certs cached during the given time period |
P3 |
NEW |
| 652004 |
Do not cache intermediate certs in private browsing mode |
-- |
RESOLVED |
| 652298 |
Certificate Exceptions added during Private Browsing should be forgotten when leaving Private Browsing |
-- |
RESOLVED |
| 652631 |
Sync do not track (DNT) pref across applications |
-- |
RESOLVED |
| 654502 |
[meta] Improve Thunderbird's scam / phishing detection and user interaction |
-- |
NEW |
| 654550 |
Preference to disable video statistics |
-- |
RESOLVED |
| 655367 |
fingerprinting installed apps through a timing attack using moz-icon: and WebGL |
-- |
RESOLVED |
| 657237 |
Session tickets generated by libssl leak length of client certificate |
P3 |
NEW |
| 657263 |
xulstore is keeping a quasi history via place: and find: urls in RDF:about attributes |
P3 |
RESOLVED |
| 657733 |
softoken sqlite metaData are added but never deleted |
P5 |
RESOLVED |
| 659306 |
unexptected favicon connection to Web when open Preferences/Applications |
-- |
NEW |
| 659348 |
Flash from previously closed tab reappears when firefox hangs |
-- |
RESOLVED |
| 660595 |
Inbox shows data and time for download mail greater then one day then system date and time |
-- |
RESOLVED |
| 660719 |
the browser shouldn't accept cookie(s) from "safebrowsing" provider (ie. Google) during "safebrowsing" communication |
-- |
RESOLVED |
| 661573 |
Telemetry: Do not record/send data in private mode |
-- |
RESOLVED |
| 662257 |
Save attachment folder defaults to Thunderbird installation folder if last folder used is disconnected network directory / share |
-- |
UNCONFIRMED |
| 662996 |
OCSP requests leak cookies |
-- |
RESOLVED |
| 663782 |
After private browsing, windows not treated properly when exiting. |
-- |
RESOLVED |
| 664633 |
Improve privacy & security of Thunderbird account autoconfiguration |
-- |
REOPENED |
| 664634 |
Improve Thunderbird's behavior if an invalid certificate is seen for a host with a previous good certificate |
-- |
NEW |
| 664636 |
Thunderbird should (semi-)automatically improve the security-related server configuration settings when it knows an improvement could be made |
-- |
NEW |
| 664637 |
Thunderbird auto-configuration database should be expanded & updated by regularly spidering every domain on the internet |
-- |
RESOLVED |
| 664646 |
Message Reader de-references IMG SRC links in email attachments from untrusted senders |
-- |
RESOLVED |
| 664694 |
about:home |
-- |
VERIFIED |
| 665531 |
[Linux] Store that file was downloaded from the Internet (Extended Attribute user.xdg.origin.url) |
-- |
NEW |
| 666204 |
Browser uploads private data after user says "no" |
-- |
RESOLVED |
| 666387 |
Full path of file is exposed to content |
-- |
RESOLVED |
| 666782 |
Firefox updates bookmarks favicons while In Private Browsing. |
-- |
NEW |
| 669160 |
Search will remember address after deleting all emails and address book entries for that address |
-- |
NEW |
| 669814 |
When needed, automatically update Accept-Charset to match Accept-Language if the latter is changed by user via UI (with possible opt-out feature) |
-- |
RESOLVED |
| 670450 |
Google search from about:home should not reveal anything about user's UI locale in URL |
-- |
RESOLVED |
| 670451 |
OpenSearch "language" and MozSearch moz:language parameters shouldn't use UI locale |
-- |
RESOLVED |
| 672352 |
Explain how Firefox uses permissions in Android Market description |
P2 |
RESOLVED |
| 673175 |
information leak - email address of last user to comment awaiting moderation was being shown |
P1 |
RESOLVED |
| 673248 |
Name compartment after shared origin instead of first URL |
-- |
RESOLVED |
| 674741 |
WebNFC (near-field communication) |
-- |
RESOLVED |
| 675333 |
Notify user about ToS/PP changes through the Sync client UI (Terms of Service, Privacy Policy, notification, updates) |
-- |
RESOLVED |
| 675818 |
Add delete button to awesome bar result matches |
P3 |
RESOLVED |
| 679921 |
sessionstore.json sessionstore.bak not encrypted (SeaMonkey and Firefox) |
-- |
UNCONFIRMED |
| 680300 |
Restrict discoverability of protocol handlers [Tor 1623] |
P2 |
RESOLVED |
| 682455 |
Granting permission to a specific site to access geolocation five times should not grant this permission permanently |
-- |
RESOLVED |
| 683462 |
First-time Private Browsing warning/info messagebox is a security vulnerability |
-- |
RESOLVED |
| 684033 |
Protect user privacy by implementing "click to play" for social network buttons |
-- |
NEW |
| 684035 |
Saving attachment from X-Mozilla-External-Attachment-URL presents no dialog before downloading URL |
-- |
NEW |
| 685373 |
update telemetry opt-in text to include feature/app usage |
-- |
RESOLVED |
| 686135 |
Extensions cannot find out when a certificate fails certificate chain validation |
-- |
RESOLVED |
| 690992 |
App tabs break deleting cookies on close (FF8+) |
-- |
VERIFIED |
| 691054 |
Back out bug 667980 (getNetworkLinkType) on Android because of scary permissions |
-- |
VERIFIED |
| 692869 |
Users should have more flexibility in how public their profile information is shown |
P1 |
VERIFIED |
| 694054 |
Firefox allows extensions to ignore cookie expiration preference |
-- |
RESOLVED |
| 695487 |
Feature: do not show potentially embarrassing autocomplete matches in the awesomebar |
-- |
RESOLVED |
| 695533 |
Implement click-to-plugin in Firefox |
-- |
RESOLVED |
| 696036 |
"show passwords" is not secure |
-- |
RESOLVED |
| 696652 |
With multiple identities, TB wrongly picks random non-default alternate identity for From: based on matching domain only (instead of full email address) |
-- |
RESOLVED |
| 697941 |
add link to about:permissions from options->privacy |
-- |
RESOLVED |
| 697942 |
Add "Do not remember browsing history" option in about:permissions |
-- |
RESOLVED |
| 699716 |
Incorrect screenshot shown when starting up after clearing app data |
P2 |
VERIFIED |
| 703020 |
OCSP requests leak cookies |
-- |
RESOLVED |
| 703024 |
Back out bug 662996 (OCSP requests leak cookies) because of bug 701019 |
-- |
VERIFIED |
| 704613 |
Email replies are send under wrong identity |
-- |
RESOLVED |
| 704779 |
App tabs causes Firefox to remember _all_ previous sessions after restart |
-- |
RESOLVED |
| 705544 |
Preferences/Privacy/History does not honour my setting |
-- |
UNCONFIRMED |
| 705545 |
Preferences/Privacy/History/Exceptions (blocked sites) got cleared when Clear Recent History |
-- |
RESOLVED |
| 705704 |
Hide email address in From: selection |
-- |
UNCONFIRMED |
| 706960 |
Privacy leak in http://hacks.mozilla.org |
-- |
RESOLVED |
| 708995 |
Find out what fallback charset users choose for each localization |
-- |
RESOLVED |
| 711552 |
Create click to play UI for desktop |
-- |
RESOLVED |
| 711618 |
implement basic click to play permission model |
-- |
RESOLVED |
| 720968 |
cookie exception rules can be modified by site javascript |
-- |
RESOLVED |
| 721398 |
moz-page-thumb protocol should not be accessible from a web page |
-- |
VERIFIED |
| 721408 |
moz-page-thumb protocol should not access from a web page |
-- |
RESOLVED |
| 724179 |
Gecko sends cookies and HTTP auth credentials in mixed-content requests |
P3 |
NEW |
| 724182 |
Gecko sends cookies and HTTP auth credentials in cross-domain requests to an unrelated domain for images and scripts that haven't been approved by CORS |
P3 |
RESOLVED |
| 725629 |
Remove user data from Android databases |
-- |
RESOLVED |
| 728658 |
Handle HTTP error 511 Network Authentication Required (RFC 6585: standard secure proxy authentification/captive portal detection) |
-- |
RESOLVED |
| 728831 |
Don't expose the Firefox patch level (13.X.Y) in the UA string, only show the major version (13.X) |
-- |
RESOLVED |
| 728888 |
Don't expose the Fennec patch level (13.X.Y) in the UA string, only show the major version (13.X) |
-- |
RESOLVED |
| 728894 |
[B2G] Don't expose the Firefox patch level (13.X.Y) in the UA string, only show the major version (13.X) |
-- |
RESOLVED |
| 728952 |
Don't expose the SeaMonkey/Firefox patch level (2.10.Y/13.X.Y) in the UA string, only show the major version (2.10/13.X) |
P5 |
RESOLVED |
| 730420 |
Registration should mention that the Username will be public |
P3 |
RESOLVED |
| 731047 |
Clean up old profile after Firefox profile reset |
-- |
VERIFIED |
| 732522 |
Allow submission of telemetry data with SUMO feedback |
-- |
NEW |
| 733215 |
telemetry for search suggestions and engines |
-- |
RESOLVED |
| 735863 |
Implement navigator.geolocation.getAddress() |
-- |
RESOLVED |
| 736373 |
Limit or remove OS information in User-Agent |
P3 |
NEW |
| 737403 |
Concerns about B2G privacy |
-- |
RESOLVED |
| 737548 |
pre connect http sessions on link hover |
-- |
RESOLVED |
| 737559 |
"Assertion failure: !proto->getClass()->ext.outerObject" |
-- |
VERIFIED |
| 738131 |
implement device proximity |
-- |
RESOLVED |
| 738376 |
Use https://encrypted.google.com/ instead of https://www.google.com/ for security and privacy reasons |
-- |
VERIFIED |
| 741810 |
[Privacy Review][Action Item] Logging Policy |
-- |
RESOLVED |
| 743152 |
Automatically delete personal EXIF data from images when uploading |
-- |
RESOLVED |
| 744466 |
Isolate DOM Storage to first party domain (Tor 6564) |
P2 |
RESOLVED |
| 746855 |
[ASan] READ heap-buffer-overflow in format-number() |
-- |
VERIFIED |
| 749541 |
Encrypt email addresses in old emails and address book |
-- |
NEW |
| 751465 |
Websockets leak DNS requests (Tor 5741) |
-- |
RESOLVED |
| 751661 |
Mozillians Phonebook API: Security Review |
P4 |
RESOLVED |
| 752143 |
Use speculative connect for inline-autocompleting beyond the domain name |
-- |
RESOLVED |
| 753622 |
Check in mochitest for bug 737559 after Firefox 14 ships |
-- |
RESOLVED |
| 754608 |
[New Tab Page] shows thumbnails from pages with "Cache-Control: no-store", and HTTPS pages when HTTPS disk caching is disabled |
-- |
RESOLVED |
| 755284 |
Fingerprintable information in update behavior |
P3 |
UNCONFIRMED |
| 755996 |
[New Tab Page] shows sensitive information in the thumbnails |
P3 |
RESOLVED |
| 756744 |
Sometimes Flash Video Downloader logs the visited site in system.log |
-- |
RESOLVED |
| 758232 |
Telemetry for WebRT |
-- |
RESOLVED |
| 758857 |
Use Wikipedia's HTTPS search by default for Firefox desktop and Android |
-- |
VERIFIED |
| 761040 |
Offline cache entries are created for no-store entries |
-- |
RESOLVED |
| 766397 |
PasswordsRepoSession leaks PII (full record details!) |
P1 |
VERIFIED |
| 766495 |
Draft composition shows wrong in-line images from other draft, if other draft mail is placed at original offset of editing draft mail by Compact. So, if mail is sent without draft save after Compact, wrong image is silently sent by Tb. |
-- |
VERIFIED |
| 769127 |
Google (and possibly other) cookies are not cleared on shutdown despite Clear Cookies checked in Prefs UI |
-- |
RESOLVED |
| 769145 |
Add an opt-in for the search suggestions feature |
-- |
VERIFIED |
| 770115 |
Thumbnail storage setting should be explicit |
-- |
RESOLVED |
| 773338 |
history timing attack with href switching |
-- |
RESOLVED |
| 773788 |
Provide client-side urlbar suggestions for top domains |
-- |
RESOLVED |
| 774517 |
Don't request search suggestions for strings that look like URLs |
-- |
RESOLVED |
| 775425 |
"Clear History when Firefox closes" doesn't work |
-- |
RESOLVED |
| 776397 |
privacy enhancement: prevent local timestamp disclosure via Date and Message-ID header fields |
-- |
RESOLVED |
| 776710 |
Uncontrollable, undocumented user tracking in addons UI |
-- |
RESOLVED |
| 777224 |
Alarm API - .getAll() and .remove() can only interact with alarms scheduled by the same app |
-- |
RESOLVED |
| 777725 |
If one Username with Password is stored, you can read it by javascript |
-- |
RESOLVED |
| 779197 |
Use a protocol not accessible from content |
P3 |
RESOLVED |
| 783047 |
Update SafeBrowsing to use HTTPS |
-- |
RESOLVED |
| 783203 |
In Firefox 13 updated new tab system the thumbnail which takes snapshots of sites you visit, then replays them later when you use the New Tab window again.It clearly reveals the content of the earlier secure browsing. |
-- |
RESOLVED |
| 783438 |
Cookies re-appear after coming out of private browsing (even after "clearing" cookies) |
-- |
RESOLVED |
| 784505 |
Fennec shouldn't use the GPS when the tab or app is in the background |
P3 |
REOPENED |
| 786276 |
Don't autofill logins in frames that are not same-origin with top-level page |
P2 |
VERIFIED |
| 787521 |
Disable theme-related CSS media queries features when not in chrome context |
-- |
RESOLVED |
| 791196 |
.part files not removed after cancelling Private Browsing during a download |
-- |
RESOLVED |
| 791943 |
navigator.mozApps.install can be used to enumerate local file names |
-- |
RESOLVED |
| 795834 |
Privacy issue with pdf.js remembering last view |
P1 |
VERIFIED |
| 796292 |
[camera] get rid of geolocation permission prompt |
-- |
RESOLVED |
| 798160 |
About:support should not copy the sync username and account as it may be personally identifiable |
-- |
RESOLVED |
| 799017 |
error |
-- |
RESOLVED |
| 799450 |
Thunderbird adds the text of an email in the Drafts folder to an email I send (Confidential data in other/irrelevant draft mail is silently exposed to unexpected recipients by Tb as data of image part) |
-- |
VERIFIED |
| 803582 |
Usage of OCSP fetching makes Firefox slow |
P3 |
NEW |
| 803806 |
Local Privacy/Security vulnerability - Session Restore writes visited URLs, history, titles, referrers, and more to sessionstore.js (on exit), allowing prior session restoration even with all histories disabled&cleared and about:config set to disable SR. |
-- |
RESOLVED |
| 807026 |
[Browser] "History" awesomescreen view briefly displays your old history, *after* you've cleared history |
P3 |
VERIFIED |
| 807030 |
[Browser] "Clear History" doesn't clear Top Sites. (and there's no other obvious way to clear them) |
P3 |
VERIFIED |
| 807056 |
[Browser] Clear History doesn't clear back/forward history in open tabs |
P3 |
VERIFIED |
| 807059 |
[Browser] "Clear Private Data" doesn't clear cookies, even though it says it will |
P3 |
RESOLVED |
| 807065 |
[Browser] Clear Private Data needs clarification on what it will & won't clear (especially when it differs from Firefox on Android) |
P1 |
VERIFIED |
| 811582 |
window JS object provides a large amount of identifiable information |
-- |
RESOLVED |
| 812167 |
302 Redirect Responses are Cached to disk despite "Cache-control: no-cache", no-store", "Pragma: no-cache" and "Expires: -1" HTTP header being set |
-- |
RESOLVED |
| 812956 |
Implement FFOS Privacy Policy |
P2 |
RESOLVED |
| 812972 |
Modify geolocation behaviour from Everything.me |
P1 |
RESOLVED |
| 816318 |
Use System download manager on GB+ |
-- |
RESOLVED |
| 816866 |
Certificate errors frequently caused by captive portals should trigger captive portal detection |
-- |
RESOLVED |
| 818337 |
Provide Usable and Effective Third-Party Web Tracking Countermeasures (Meta) |
-- |
NEW |
| 818340 |
Block cookies from sites I haven't visited |
-- |
RESOLVED |
| 818357 |
Settings "About your privacy" link for "Browser OS" goes to a Firefox *web browser* privacy page |
-- |
RESOLVED |
| 819343 |
System-wide icon/etc for active camera/mic use (webrtc) |
-- |
RESOLVED |
| 822516 |
encrypt thumbnail image files |
-- |
RESOLVED |
| 822790 |
Privacy technical followup for spdy persistent cwnd setting |
-- |
RESOLVED |
| 822869 |
Expand user options and limit default behavior for sending of HTTP referers |
-- |
RESOLVED |
| 822948 |
Don't capture thumbnails when 'Cache-Control: no-store' is given in a meta tag (instead of a HTTP header) |
-- |
RESOLVED |
| 823233 |
unrequested nsmail.tmp attachment being added to forwards |
-- |
RESOLVED |
| 823829 |
thumbnail service captures pages that have "Cache-Control: no-store" content |
-- |
REOPENED |
| 825469 |
Download history is not deleted |
-- |
RESOLVED |
| 826273 |
Opening private tab and attempting to open a tab from last time opens it in a normal tab |
-- |
VERIFIED |
| 827193 |
disclosure of profile directory name in JavaScript variable visible to Workers |
-- |
RESOLVED |
| 830628 |
pdfjs.database stored in prefs.js even in private browsing mode |
-- |
RESOLVED |
| 831494 |
Everything.me tracks usage in great detail |
-- |
RESOLVED |
| 832660 |
"maintain offline storage" permission(s) confusing and incomplete |
-- |
RESOLVED |
| 839698 |
Private browsing API/environments are broken for extensions in Firefox 21 (nightly) |
-- |
RESOLVED |
| 839856 |
Emails with remote content viewable cannot stop showing remote content |
-- |
RESOLVED |
| 840271 |
Gallery exposes GPS EXIF data when sharing photos to third party apps |
-- |
RESOLVED |
| 840678 |
Use HTTPS instead of HTTP for input.mozilla.org submissions |
-- |
RESOLVED |
| 840750 |
Backout bug 818340 from Aurora after 2/19/2013 merge day |
-- |
RESOLVED |
| 840828 |
Add metrics to FHR for SocialAPI |
P2 |
RESOLVED |
| 840928 |
Transition to a WebKit engine |
-- |
RESOLVED |
| 845758 |
cookie permission dialog and page info dialog should handle cookie permissions set ALLOW_FIRST_PARTY_ONLY |
-- |
RESOLVED |
| 845787 |
enable to set cookie permission "Allow First Party Only" from Cookie Permission dialog |
-- |
RESOLVED |
| 847884 |
Option "Warn Me when web sites try to redirect..." should be treated like other "permissions" |
-- |
RESOLVED |
| 849451 |
Send more CPU info in FHR payload |
P4 |
RESOLVED |
| 849694 |
Scam Detect should have parameter changed from Yes/No to Gradient 0-255 |
-- |
RESOLVED |
| 849947 |
FHR submission counts vs Blocklist ping |
P1 |
RESOLVED |
| 850066 |
Consider sending an empty Health Report payload if user has opted out |
P4 |
RESOLVED |
| 850909 |
Use background tab thumbnailing service for Top Sites in Metro Firefox |
-- |
RESOLVED |
| 854798 |
Compacting Berkeley Mbox file changes messageKey (to new MsgOffset after compact), causing dataloss/privacy problems (bug 817245 / bug 799450, bug 766495) due to current design problem of MsgKey=MsgOffset (for Berkeley Mbox files) |
-- |
VERIFIED |
| 856909 |
clear history on firefox close is not clearing thumbnails |
-- |
RESOLVED |
| 863063 |
quitting private browsing mode does not delete partially downloaded files |
-- |
RESOLVED |
| 863246 |
resource:// URIs leak information (Tor 8725) |
P1 |
VERIFIED |
| 863332 |
Private Browsing will use existing (app)cache during private browsing sessions [VN: JVN#34899401 / TN: JPCERT#93478616] |
-- |
RESOLVED |
| 863777 |
Teach ANR reporter to use the profiler to get a native stack |
-- |
RESOLVED |
| 864047 |
Combine -- and Delete -- Special Caches with General Cache |
-- |
NEW |
| 867501 |
Date.toLocaleFormat exposes OS locale (Tor 13019) |
-- |
RESOLVED |
| 869398 |
Don't pollute search URLs with branding |
-- |
RESOLVED |
| 870667 |
Reinstate the dom.enable_performance preference, but have it just control what gets returned from performance.timing.* |
-- |
RESOLVED |
| 870790 |
master password & history cleaning |
-- |
RESOLVED |
| 873361 |
Unique App ID origins can be used as a tracking mechanism |
-- |
RESOLVED |
| 877159 |
[Meta] Tracker bug for attachment paradigm failures - "attach/embed immediate snapshot" VS. "attach/embed later when sending" |
-- |
NEW |
| 884270 |
Link Visitedness can be detected by redraw timing |
P3 |
RESOLVED |
| 886679 |
Privacy-Technical Review: Shumway SWF Runtime |
-- |
RESOLVED |
| 890620 |
Password dialog doesn't mask password |
-- |
VERIFIED |
| 890739 |
Sending to List from Addressbook does not use BCC, breaks privacy by default |
-- |
VERIFIED |
| 891116 |
Click-to-play permissions set in private browsing stay around after exiting private browsing (privacy leak) |
P1 |
RESOLVED |
| 891289 |
connection to sb-ssl.google.com:443/safebrowsing.clients.google.com:80 despite browser.safebrowsing.enabled set to false |
-- |
RESOLVED |
| 891291 |
connection to services.addons.mozilla.org:443/versioncheck-bg.addons.mozilla.org:443 despite updates are disabled |
-- |
RESOLVED |
| 891629 |
Blocking storage of HSTS data for third-party domains (when requested) |
-- |
UNCONFIRMED |
| 896509 |
Record guest mode usage in FHR for Android |
-- |
RESOLVED |
| 898109 |
Draft autosave sends incomplete message prematurely, emails without warning when composing |
-- |
RESOLVED |
| 900541 |
Contacts side bar: First address wrongly pre-selected when changing address book (risk of sending message to unintended recipients) |
-- |
RESOLVED |
| 903959 |
custom resource://foo/ allows fingerprinting addons |
-- |
RESOLVED |
| 904341 |
Content-blocking Add-Ons and Tracking Protection not working with background thumbnails |
-- |
NEW |
| 904478 |
"Reply with Template" Filters leak email address to mailing lists |
-- |
RESOLVED |
| 905258 |
Firefox doesn't support/report "AES cipher, 256-bit key" on https://www.fortify.net/sslcheck.html |
-- |
RESOLVED |
| 906448 |
An ETag set outside of private browsing mode will be sent in private browsing mode and vice versa (also with containers) |
-- |
RESOLVED |
| 907707 |
Security issues related to users making directories available to a page via <input type=file directory> or drag-and-drop |
P3 |
NEW |
| 909024 |
Stylish config leaks from private browsing |
-- |
RESOLVED |
| 909771 |
We can access user browsing information in Private Mode with our implemented extension hence the extensions are not disabled by default in Private mode. |
-- |
RESOLVED |
| 912202 |
Unify site-specific and third party permission across all forms of local storage |
P3 |
NEW |
| 917871 |
Privacy Review: Necko Predictive Network Actions |
-- |
RESOLVED |
| 920246 |
Privacy-Technical Review: TogetherJS |
-- |
RESOLVED |
| 921462 |
"Reset Firefox" UI does not mention the desktop backup of the old profile |
-- |
NEW |
| 925376 |
Autofilled usernames+passwords should not be accessible to page JS before form submit |
-- |
RESOLVED |
| 926761 |
URL guessing/searching are major privacy/security problems and need to be easily configurable, with prompt or default-off. |
-- |
RESOLVED |
| 926899 |
Support DNT on websites |
-- |
RESOLVED |
| 930179 |
Stifle URL logging for private tabs with the new Intent:GetHandlers message |
-- |
RESOLVED |
| 930638 |
HSTS state can track users, follows them in to private browsing mode |
-- |
RESOLVED |
| 937976 |
libssl stores current time in gmt_unix_time field of ClientHello and ServerHello; should use random value |
-- |
RESOLVED |
| 939666 |
Firefox should allow disabling automatic connections for "Get Add-ons" |
-- |
RESOLVED |
| 941081 |
Privacy-Technical Review: [Program] FxA on FxOS (v1.4) |
P1 |
RESOLVED |
| 941139 |
Changing sender of reopened draft message (with 1 other field manually prefilled) does not prompt to save msg when closing: verify / finetune behaviour of gContentChanged with senders/identities (which might involve auto-cc/bcc recipients) |
-- |
NEW |
| 942353 |
places.sqlite: moz_inputhistory will not be deleted when erasing history |
P3 |
RESOLVED |
| 942613 |
formhistory.sqlite: Will not be cleared when removing history, when form history is not enabled |
-- |
NEW |
| 942808 |
Privacy-Technical Review: Screen sharing UI |
-- |
RESOLVED |
| 945499 |
Switch BrowserUITelemetry from using UITelemetry's event logging to just counting events |
-- |
RESOLVED |
| 946705 |
[Privacy] Google Analytics anonymize Ip |
-- |
RESOLVED |
| 947759 |
Preload HSTS for Google-specified domains |
-- |
RESOLVED |
| 952969 |
Paypal fishing/phishing not recognized b/c of shortlink in JPG and service@paypal in addressbook |
-- |
RESOLVED |
| 957977 |
[META] Remote Privacy Protection |
-- |
RESOLVED |
| 958873 |
Use HTTPS for Bing searches |
-- |
RESOLVED |
| 958874 |
Use HTTPS for Bing search |
-- |
RESOLVED |
| 958877 |
Use HTTPS for Wikipedia searches |
-- |
RESOLVED |
| 958883 |
Use HTTPS for Yahoo searches |
-- |
VERIFIED |
| 958885 |
Use HTTPS for eBay searches from the search box |
-- |
RESOLVED |
| 958886 |
Use HTTPS for amazon.com searches from the search box |
-- |
VERIFIED |
| 959893 |
[meta] WebRTC Internal IP Address Leakage |
-- |
NEW |
| 959985 |
Notification bar for offline storage is always being bypassed despite ticking "tell me when a website asks to store data for offline use" in preferences |
-- |
RESOLVED |
| 960017 |
heap-buffer-overflow (read) at mozilla::gfx::ColorComponentAtPoint |
-- |
VERIFIED |
| 960875 |
Optionally limit possible browser size to increments of some number |
P5 |
UNCONFIRMED |
| 962552 |
Clear history completely |
-- |
UNCONFIRMED |
| 966030 |
Implement navigator.mozAppDetails and expose the property on white-listed domains |
-- |
RESOLVED |
| 966752 |
Security & Privacy Add-On |
P3 |
RESOLVED |
| 968458 |
Track app install/uninstalls per user+device |
P4 |
RESOLVED |
| 970092 |
change default referer setting |
P5 |
RESOLVED |
| 970136 |
HTTP referer: Allow to send target host as referer when crossing domains |
P5 |
RESOLVED |
| 971171 |
Measure with telemetry how many times people see about:newtab |
-- |
VERIFIED |
| 973422 |
'clear recent history' forgets what page you're really on |
P3 |
UNCONFIRMED |
| 975570 |
Measure with telemetry how many times people interact with about:newtab |
-- |
VERIFIED |
| 983799 |
Technical Privacy Review: The feature detection API |
-- |
RESOLVED |
| 984826 |
Private tabs should close when leaving Firefox |
-- |
RESOLVED |
| 986091 |
Privacy-Technical Review: Directory Tiles (Services) |
-- |
RESOLVED |
| 986966 |
pdfjs.database not cleared when clearing history |
P2 |
RESOLVED |
| 989606 |
Use Web of Trust data to improve spam/scam detection (wot) |
-- |
NEW |
| 1000253 |
Background tabs with persistent device permissions can access devices without the user noticing |
-- |
VERIFIED |
| 1001973 |
Add an option to ask for the master password at startup |
-- |
RESOLVED |
| 1008620 |
Clearing history should also clear jump list cache on Windows |
-- |
RESOLVED |
| 1011279 |
Privacy-Technical Review: Democratize API access on Mozillians.org |
-- |
RESOLVED |
| 1013947 |
Remove legacy signons.sqlite files and references |
P5 |
RESOLVED |
| 1019583 |
Enable notifications by default again for using offline storage and update Offline Web Applications preference pane |
-- |
RESOLVED |
| 1020539 |
about:networking hostname list not clearing after deleting history |
-- |
VERIFIED |
| 1022444 |
Randomize MAC address when doing a Wi-Fi scan |
-- |
RESOLVED |
| 1024017 |
Add ability to choose info shown in the desktop chat notifications |
-- |
RESOLVED |
| 1025569 |
Notifications for requests from Offline Web Applications offer beyond-session options in Private Browsing mode |
-- |
RESOLVED |
| 1025684 |
With mail.identity.default.autocompleteToMyDomain=true, edit an address after autocomplete and autocomplete reselects the first choice, even reverts to a different address (only for speedy corrections!) |
-- |
RESOLVED |
| 1028733 |
Folder to which a file was saved in Private session, and used for opening in normal session |
-- |
NEW |
| 1033374 |
impossible to copy-paste parts of a link without visiting it. text select opens link |
-- |
UNCONFIRMED |
| 1033470 |
Add Tor panel in Firefox OS settings. |
-- |
RESOLVED |
| 1033826 |
Randomize MAC address on ifup |
-- |
RESOLVED |
| 1034842 |
Firefox should preload favicons for default protocol services it ships |
P3 |
REOPENED |
| 1038296 |
Use of Places and related browsing-history mechanisms in Thunderbird [meta] |
-- |
NEW |
| 1038448 |
Lockscreen should not show contents of notifications if I have a PIN setup |
-- |
RESOLVED |
| 1039069 |
Warn the user that customizing the preferred language list (Accept-Language) can be used for fingerprinting |
P1 |
RESOLVED |
| 1042880 |
Initiate geolocation request *before* user clicks "Share Location" button to reduce UI latency |
-- |
VERIFIED |
| 1044073 |
No option to totally stop connections for add-on update compatability checks |
-- |
RESOLVED |
| 1044559 |
Email reply sent to wrong recipients |
-- |
RESOLVED |
| 1046207 |
Compose Message window ghost exposes contents of previous composition for a moment when starting a new message |
-- |
VERIFIED |
| 1046768 |
Private Browsing Indicator Not Present In Title Bar When Firefox Launched With -private Switch |
-- |
RESOLVED |
| 1047098 |
'Clear Recent History' with 'Cache' or 'Offline Website Data' doesn't clear QuotaManager storage and ServiceWorkers |
P1 |
VERIFIED |
| 1048444 |
Search activity displays private browsing searches from browser |
P1 |
VERIFIED |
| 1048513 |
location bar: In Private Browsing mode Firefox shouldn't save browser.fixup.domainwhitelist. entries |
-- |
VERIFIED |
| 1049807 |
Firefox remembers full screen mode even when using private browsing |
-- |
RESOLVED |
| 1049994 |
Privacy-Technical Review: Project Plan Coordinator for Grow Program |
-- |
RESOLVED |
| 1051218 |
Downloaded file List in Private Mode are kept in Normal Mode |
-- |
RESOLVED |
| 1054739 |
Reduce HTTP Accept-Language Entropy |
-- |
RESOLVED |
| 1055414 |
Privacy-Technical Review: Project MozID: Brand Identity Evolution |
-- |
RESOLVED |
| 1057675 |
[META] Privacy Control |
-- |
RESOLVED |
| 1057676 |
[META] Adjustable location accuracy |
-- |
RESOLVED |
| 1060152 |
[RPP] Detect if Password set |
-- |
RESOLVED |
| 1060154 |
[RPP] Detecting, Setting and Storing the Password in the SettingsDB |
-- |
RESOLVED |
| 1060156 |
[RPP] Reset Password flow |
-- |
RESOLVED |
| 1060157 |
[RPP] Main panel |
-- |
RESOLVED |
| 1060159 |
[RPP] Detect if the screen lock is on |
-- |
RESOLVED |
| 1060160 |
[RPP] create an SMS listener |
-- |
RESOLVED |
| 1060162 |
[RPP] parse the SMS |
-- |
RESOLVED |
| 1060163 |
[RPP] check the activation password |
-- |
RESOLVED |
| 1060164 |
[RPP] trigger the functions appropriately |
-- |
RESOLVED |
| 1060166 |
[RPP] report the location back with SMS, trigger remote wipe |
-- |
RESOLVED |
| 1060168 |
[RPP] remove the password from the DB |
-- |
RESOLVED |
| 1060169 |
[PP] First Panel |
-- |
RESOLVED |
| 1060170 |
[PP] Guided Tour Flow |
P5 |
RESOLVED |
| 1060172 |
[PP] Dashboard |
-- |
RESOLVED |
| 1060173 |
[PP] Initialize the settings |
-- |
RESOLVED |
| 1060174 |
[SETTINGS] Launch the Privacy Panel from Settings App |
-- |
RESOLVED |
| 1060177 |
[ALA] Grid Algorithm |
-- |
RESOLVED |
| 1060178 |
[ALA] check the settings DB for the location precision |
-- |
RESOLVED |
| 1060181 |
[ALA] Return the chosen LA |
-- |
RESOLVED |
| 1060546 |
Awesome bar autocomplete suggestions should prefer HTTPS URLs |
P3 |
RESOLVED |
| 1061807 |
[ALA][UI] Implementation of Panel 1 |
-- |
RESOLVED |
| 1061814 |
[ALA][UI] Implementation of Panel 2 in appropriate context |
-- |
RESOLVED |
| 1061815 |
[ALA][UI] Implementation of Panel 3 in appropriate context |
-- |
RESOLVED |
| 1061835 |
[ALA][UI] Implementation of Panel #4 |
P4 |
RESOLVED |
| 1061840 |
[ALA][UI] Implementation of Panel #5 |
-- |
RESOLVED |
| 1062607 |
[PP] Place the app in dev_apps |
-- |
RESOLVED |
| 1062876 |
The "stop sharing" option in the video sharing control in the URL bar has no effect in iframes |
-- |
VERIFIED |
| 1062920 |
WorkerNavigator strings should honor general.*.override prefs |
-- |
VERIFIED |
| 1062981 |
Navigating away from a page with camera sharing in an iframe leaves camera recording |
-- |
VERIFIED |
| 1063610 |
[ALA] reading app exception list (from setting DB) |
P3 |
RESOLVED |
| 1064184 |
Search suggestions from remote services should stop after the user has typed a URL scheme |
-- |
RESOLVED |
| 1068008 |
[ALA] Geolocation toggle not connected to the settings |
-- |
RESOLVED |
| 1068017 |
[PP][UI]CHange the color theme |
-- |
RESOLVED |
| 1068023 |
[ALA][UI] Slider doesn't look as it should |
-- |
RESOLVED |
| 1068029 |
[ALA][UI] Per-app settings are not independent |
P4 |
RESOLVED |
| 1068031 |
[ALA][UI] Panel1 - clicking anywhere on the screen deactivates LB |
-- |
RESOLVED |
| 1068035 |
[ALA][UI] Panel 5 - text under not chosen setting is gray |
-- |
RESOLVED |
| 1068039 |
[ALA][UI] Panel 5 User input is buggy |
-- |
RESOLVED |
| 1068043 |
[RPP] parse the SMS - changes |
-- |
RESOLVED |
| 1068044 |
[ALA] Return the chosen LA |
-- |
RESOLVED |
| 1068601 |
[PP] Remove GT from PP |
-- |
RESOLVED |
| 1068683 |
[RPP] Reset Password flow should always be available |
-- |
RESOLVED |
| 1069144 |
[ALA][UI] Fix back button of Panel 1 |
-- |
RESOLVED |
| 1069296 |
[RPP] Change password for RPP always present |
-- |
RESOLVED |
| 1069915 |
[PP] Land Privacy panel app in /dev_apps |
-- |
RESOLVED |
| 1070251 |
Anonymization does not anonymize inProcessTabChildGlobal URLs |
-- |
RESOLVED |
| 1071042 |
[PP] Verify the localization of PP |
-- |
RESOLVED |
| 1074134 |
Remote content not blocked in attached messages (forward as attachment) if sender white-listed him/herself in the remote content exceptions (comment #21) |
-- |
NEW |
| 1074150 |
Second instance of incognito mode remembers the log-in session |
-- |
RESOLVED |
| 1074169 |
Private tabs should be hidden/closed when app is not in active state |
-- |
RESOLVED |
| 1074793 |
Opened attachment in /tmp is world readable and visible to all users |
-- |
RESOLVED |
| 1077874 |
Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0) |
P5 |
RESOLVED |
| 1077986 |
offline storage permission setting not working correctly |
-- |
RESOLVED |
| 1080969 |
[PP] Add warnings to Privacy panel app to make sure users are aware of limitations of geolocation accuracy |
-- |
RESOLVED |
| 1082787 |
Search bar should not send URL to Everything.me / marketplace. |
-- |
VERIFIED |
| 1083776 |
Privacy panel guided tour content isn’t comprehensive of FxOS security/privacy features |
-- |
RESOLVED |
| 1083789 |
SMS involves inherent security risks |
-- |
RESOLVED |
| 1086319 |
Multiple private windows with individually encapsulated cookies |
-- |
RESOLVED |
| 1088565 |
[META] Privacy Panel version 2.0 |
-- |
RESOLVED |
| 1089473 |
Unable to "Forget about this site" or otherwise mitigate punctilious HSTS effect |
-- |
RESOLVED |
| 1089711 |
Recipient autocomplete: after selecting result entry with [cursor down],[cursor right], confirming with TAB or ENTER cunningly selects the wrong recipient (1st result) |
-- |
RESOLVED |
| 1090433 |
Possible to track users visits to servers with particular HSTS configurations |
P3 |
RESOLVED |
| 1092445 |
Default reply comment header shows emails to those not logged for accounts without a "real name" |
-- |
NEW |
| 1093183 |
New tabs tile for Wells Fargo Online undesirably shows bank username |
-- |
RESOLVED |
| 1093688 |
[PP] Adjustable Location Accuracy - Exception not working |
P1 |
RESOLVED |
| 1095967 |
Icon of web notification API bypasses CSP and it's request shares cookie between non-private mode and private mode |
-- |
NEW |
| 1097134 |
Tiles create cookies against my explicit choice to not accept cookies |
-- |
RESOLVED |
| 1101378 |
video self-image can be cropped, falsely making users think they're transmitting less video than they are |
P1 |
RESOLVED |
| 1101528 |
Firefox uses the same TLS session ticket and/or ID between normal and private browsing |
-- |
RESOLVED |
| 1102808 |
[meta] Clear Recent History / Forget button blind spots |
P3 |
NEW |
| 1105280 |
"About Privacy Panel" screen text is cut off |
-- |
RESOLVED |
| 1105304 |
[l10n] Privacy Panel: long string truncated, untranslated elements, strings reused |
-- |
RESOLVED |
| 1106158 |
Showing random video memory when dragging compose window from normal dpi to Retina dpi display |
-- |
RESOLVED |
| 1106228 |
Polaris is enabled on Beta after configuration change on Nightly |
-- |
RESOLVED |
| 1108249 |
Copying into an email only part of a locally-stored HTML document (from Firefox) results in whole file being attached to the email |
-- |
RESOLVED |
| 1108547 |
Private browsing mode context is broken by <a> or <form> with target attribute |
-- |
RESOLVED |
| 1110507 |
self-image can be cropped by being out of scroll (firefox embedded client) |
P1 |
RESOLVED |
| 1111725 |
UMS (USB) mounting after reboot even without unlocking |
-- |
RESOLVED |
| 1111992 |
[Privacy] Enable privacy control will cause device to keep rebooting when using geolocation |
P1 |
RESOLVED |
| 1112264 |
self-image can be cropped by being out of scroll (standalone client) |
P1 |
RESOLVED |
| 1112727 |
make minimum size of socialAPI chat window overridable on a per URL-basis |
P1 |
RESOLVED |
| 1113393 |
Implement robust prevention of partial display of local video |
P3 |
RESOLVED |
| 1113431 |
<meta name="referrer"> is ignored for navigations from the context menu and via a middle-click |
-- |
RESOLVED |
| 1114475 |
Implement configuration to send a minimal User-Agent header, or no header at all, in sent emails |
-- |
RESOLVED |
| 1114476 |
[DT][Privacy]change Privacy Panel to a meaningful word |
-- |
RESOLVED |
| 1115218 |
[Settings][Privacy Panel] Guided tour's Back and Next buttons respond when tapped while the pages are transitioning |
-- |
RESOLVED |
| 1117814 |
Deleted email content shows up in sent message after Thunderbird crash |
-- |
RESOLVED |
| 1118155 |
[DT][Privacy] The latitude and longitude are 0 when enable privacy control |
-- |
RESOLVED |
| 1118475 |
301 redirect cache should be cleared when cookies are |
-- |
RESOLVED |
| 1119778 |
Forget about this site does not clear HSTS setting |
-- |
VERIFIED |
| 1120325 |
Intermittent rpp_main_test.js | remote privacy protection main panel "before each" hook |
-- |
RESOLVED |
| 1120398 |
Security: Addons with no contentaccessible resources can be enumerated via differing error results |
P5 |
RESOLVED |
| 1120577 |
[Privacy Panel] Changing passphrase and entering wrong SIM PIN does NOT warn user of number of tries left before SIM will be locked |
-- |
VERIFIED |
| 1120726 |
[Privacy Panel][Remote Privacy Protection] RPP functions disable notifications on the lock screen without notifying the user. |
-- |
RESOLVED |
| 1120733 |
[Privacy Panel] The Back arrow button disappears after doing some actions |
-- |
RESOLVED |
| 1121152 |
[UX][PP] Guided Tour screen slide with sliding UI buttons looks |
-- |
RESOLVED |
| 1121212 |
[Privacy Panel][Geolocation] User can turn off Geolocation after RPP Locate is enabled. |
-- |
RESOLVED |
| 1121232 |
[Privacy Panel][Remote Privacy Protection] Closing Privacy Panel in the Task Manager prevents first received RPP feature from functioning. |
-- |
VERIFIED |
| 1121250 |
[Privacy Panel][Remote Privacy Protection] RPP Locate function will not send any return message or lock the device if there is no WiFi or Data network connection |
-- |
RESOLVED |
| 1121643 |
Add an option to only expose whitelisted system fonts to avoid fontlist fingerprinting (Tor 13313) |
P3 |
RESOLVED |
| 1121789 |
[Privacy Panel][Location Accuracy] Custom Location is not working |
-- |
RESOLVED |
| 1122298 |
Lockscreen will not show accurate time after receiving RPP Lock command. |
-- |
VERIFIED |
| 1122688 |
[Privacy Panel][Transparency Control] EmergencyCall has a missing icon in the Application list under Transparency Control. |
-- |
VERIFIED |
| 1124127 |
Round Off Navigator Battery Level on Linux |
-- |
RESOLVED |
| 1124867 |
[Privacy Panel][Remote Privacy Protection] Lock screen improperly respects Screen Timeout settings following an RPP function |
-- |
RESOLVED |
| 1125070 |
[RTL][Settings]The app icons in Location Accuracy list is not mirrored. |
P2 |
VERIFIED |
| 1128236 |
When on some VPN software Implementations, STUN candidates will still include your real IP address |
-- |
RESOLVED |
| 1128892 |
Random confidential messages attached to another message |
-- |
RESOLVED |
| 1130858 |
Recipient autocomplete suggestion overrides ANY manual address input if quickly entered/pasted and confirmed with Enter/Tab before autocomplete suggestions disappear |
-- |
RESOLVED |
| 1131474 |
Following HTML links on RSS preview should't sends feed URL as referer |
-- |
RESOLVED |
| 1133413 |
passwords of all known wifi networks are dumped to logcat |
-- |
RESOLVED |
| 1135120 |
Search bar sends data to search engines even when search suggestions are disabled |
-- |
RESOLVED |
| 1135728 |
air.mozilla.org vid.ly videos fail to load with tracking protection enabled (g-a breakage) |
-- |
RESOLVED |
| 1136163 |
Content can set location.href to about:reader? urls and check for items in the reading list |
-- |
RESOLVED |
| 1137589 |
Clear history does not delete Windows 7 start menu jumplist |
-- |
RESOLVED |
| 1138022 |
Add support for telemetry of sensitive data using RAPPOR |
-- |
RESOLVED |
| 1138033 |
Stubborn recipient autocomplete silently swaps recipients: Cannot compose message to valid, normal, new email address (doe@asdf.com/admin@foo.co) if similar longer address already exists in AB (john.doe@asdf.com/admin@foo.com) |
P2 |
RESOLVED |
| 1139540 |
[Privacy Panel][Remote Lock] Lockscreen becomes unresponsive after remote lock |
-- |
VERIFIED |
| 1144233 |
Recipient autocomplete considers last mouse-hovered contact from results dropdown "selected" and then uses that upon blur (e.g. when moving to subject) |
-- |
RESOLVED |
| 1144598 |
Sender's identity incorrectly preserved after "Edit as New" |
-- |
RESOLVED |
| 1147634 |
Can't remove google.com cookie via Remove Cookie button |
-- |
RESOLVED |
| 1148032 |
BroadcastChannel API bypasses private browsing mode |
-- |
RESOLVED |
| 1148033 |
BroadcastChannel API bypasses Browser API sandbox on B2G |
-- |
RESOLVED |
| 1151366 |
File disclosure via covertly imposed attachments in HTML emails |
-- |
RESOLVED |
| 1152448 |
"Forget About This Site" does not forget site's enumerateDevices Ids |
P3 |
NEW |
| 1152517 |
Recipient autocomplete wrongly considers last mouse-hovered contact from results dropdown "selected" and then uses that unintended, random recipient upon blur (via Tab, Enter, or when moving to subject or body) |
P1 |
RESOLVED |
| 1153087 |
External Android apps can automatically launch from Private Browsing tab, dropping any pretense of privacy |
-- |
RESOLVED |
| 1153672 |
Fingerprinting individuals via performance.now() |
-- |
RESOLVED |
| 1156107 |
<meta name=referrer> doesn't work when a popup created via target=_blank on a javascript: URI is navigated by that javascript: URI |
P5 |
NEW |
| 1157643 |
Stop sending the roomOwner or always send it as guest |
-- |
RESOLVED |
| 1157645 |
Always send the room owner as "-" |
P3 |
RESOLVED |
| 1162176 |
Stop sending full IndexedDB database names as part of SlowSQL telemetry |
-- |
RESOLVED |
| 1162327 |
MozTemp is not deleted |
-- |
RESOLVED |
| 1166316 |
Old MozTemp-*s are still not deleted in non-debug builds. |
-- |
RESOLVED |
| 1167489 |
"Spy in the Sandbox" - Security issue related to High Resolution Time API |
-- |
RESOLVED |
| 1167856 |
Client configuration leakage via JS/protocol checking |
-- |
NEW |
| 1169940 |
Ask users to enable tracking protection when they enable DNT |
-- |
RESOLVED |
| 1173147 |
Prompt the user when opening intent URIs in private browsing mode |
-- |
RESOLVED |
| 1176874 |
Restore ability to disable Session Restore completely |
-- |
NEW |
| 1178104 |
Propagate referrer policy throughout the UI: command-click and context menu open link in new tab/window (Port relevant bits from Bug 1113431) |
-- |
NEW |
| 1178220 |
Disabling FHR/Telemetry when unified not honored |
-- |
RESOLVED |
| 1178547 |
Addressee changes when clicking send |
-- |
RESOLVED |
| 1180201 |
Pictures from the mail i replied to got replaced with other pictures from other mail in my mailbox. |
-- |
RESOLVED |
| 1180633 |
Reply to all with me on Bcc of original message should warn that my identity will be exposed to the recipients |
-- |
NEW |
| 1181992 |
Folders not deleted : .\AppData\Local - .\AppData\Roaming - .\Program Files(x86) |
-- |
RESOLVED |
| 1182129 |
[PP] Back out privacy panel |
-- |
RESOLVED |
| 1182546 |
Use channel->asyncOpen2 in parser/htmlparser/nsExpatDriver.cpp |
-- |
RESOLVED |
| 1182805 |
saved-telemetry-pings directory still created with Telemetry disabled in Firefox beta 40 |
P3 |
RESOLVED |
| 1183100 |
Using 200hz the Gyroscope can be used to emulate audio inputs |
-- |
RESOLVED |
| 1185158 |
Every time browser starts, it loads homepage first, even if it wasn't opened in last session, and only after that browser loads all correct pages. |
-- |
RESOLVED |
| 1186489 |
Clamp the resolution of performance.now() in workers too |
-- |
RESOLVED |
| 1187504 |
Find a better way to handle user credentials in Bugzilla Auth Delegation flow |
P1 |
RESOLVED |
| 1187519 |
Take Bug 1152517 "Recipient autocomplete wrongly considers last mouse-hovered contact ..." and Bug 1130858 "Recipient autocomplete suggestion overrides ANY manual address ..." into TB 38.x |
P1 |
RESOLVED |
| 1192739 |
UX confusion when entering recipient addresses ("double focus"): TAB or ENTER unexpectedly uses last-hovered contact instead of typed recipient from input box |
-- |
RESOLVED |
| 1197499 |
EU cookie law breach |
-- |
RESOLVED |
| 1197791 |
Password logged to Error Console |
-- |
RESOLVED |
| 1198418 |
[meta] Local authentication Touch ID / Passcode support |
-- |
RESOLVED |
| 1199289 |
Malformed http-auth like URL may issue a web research. |
-- |
VERIFIED |
| 1201349 |
Undesired / unexpected attachment automatically sent (twice) |
-- |
RESOLVED |
| 1201782 |
Phenomenon of bug 766495 (wrong image), bug 799450 (text data for image), and bug 817245 (endless attaching) ... even when Compact doesn't change messageKey. Caused by Repair Folder making messageKey re-used in MessageCopyMove and changed messageKey |
-- |
RESOLVED |
| 1201973 |
"Stop Sharing" in gUM in-use doorhanger doesn't revoke persistent permissions in different-domain iframe |
-- |
VERIFIED |
| 1204309 |
It is not clear to me exactly what private information the Tiles feature leaks to Mozilla, and third parties (including intelligence agencies) |
-- |
RESOLVED |
| 1206001 |
Forget About This Site doesn't clear third-party data |
-- |
RESOLVED |
| 1206459 |
cannot uninstall a CustomizableUI widget? meaning forget its position (all traces basically) |
-- |
RESOLVED |
| 1209252 |
about:webrtc should have a clear screen button |
P1 |
RESOLVED |
| 1211348 |
Don't restore private tabs after killing the app if "Close Private tabs when leaving private browsing" is enabled |
P1 |
VERIFIED |
| 1211669 |
The Clock is Still Ticking: Timing Attacks in the Modern Web |
P5 |
NEW |
| 1212029 |
Attachments hosting domain may expose user identity through SNI |
-- |
RESOLVED |
| 1212138 |
Information leakage using <img src> with news or nntp URI scheme |
-- |
RESOLVED |
| 1213692 |
Request: A way for a website to delete history (auto private) |
-- |
RESOLVED |
| 1216793 |
Subresources loaded via XHR or fetch() are not caught by TP |
-- |
RESOLVED |
| 1221786 |
about:webrtc includes calls from private browsing mode even after last pb session is closed |
P1 |
RESOLVED |
| 1223718 |
Tracking protection prevents loading tweets module onto a webpage |
-- |
RESOLVED |
| 1225322 |
Add "Do not remember browsing history for this site" option in site identity panel |
-- |
REOPENED |
| 1228117 |
Determine security policy for DTD loads |
P3 |
RESOLVED |
| 1228833 |
How to reset geolocation for all sites at once after the removal of about:permissions |
-- |
RESOLVED |
| 1230559 |
Firefox does not clear HSTS “cookies” when closed after a private session |
-- |
RESOLVED |
| 1231203 |
investigate OCSP requests causing disk writes in private browsing mode |
P1 |
VERIFIED |
| 1231808 |
Hide "Pause" button from infobar |
P1 |
RESOLVED |
| 1233289 |
Focusing the searchbar shouldn't refetch suggestions |
P5 |
NEW |
| 1233691 |
Redesign mediaDevices.enumerateDevices() API |
-- |
RESOLVED |
| 1233846 |
WebSpeech Synthesis API mustn't allow fingerprinting |
P3 |
NEW |
| 1233982 |
Entering URL into Address Bar Initiates Connection |
P1 |
RESOLVED |
| 1235065 |
[privacy] URL bar search suggestions: UI fails to warn users about severe privacy implications |
P3 |
RESOLVED |
| 1236155 |
Information leakage problem when using smtp + starttls |
-- |
RESOLVED |
| 1236264 |
please allow to disable spyware functionality |
-- |
RESOLVED |
| 1238018 |
Firefox allows sites to store data for offline use without prompting |
-- |
RESOLVED |
| 1239706 |
[RIL][Privacy] Introduce a pref to disable PDU_PID_SHORT_MESSAGE_TYPE_0 handling for more privacy |
-- |
RESOLVED |
| 1239897 |
Browsing history leakage by utilizing :visited pseudo together with complex SVG's. |
-- |
RESOLVED |
| 1240288 |
Possible privacy issue with "Show my windows and tabs from last time" |
-- |
RESOLVED |
| 1240564 |
Local Shared Objects (LSO's) are left intact on Permanent private browsing (Never remember history) mode |
-- |
RESOLVED |
| 1242226 |
HPKP information from normal sessions is also used in private sessions |
P2 |
RESOLVED |
| 1244340 |
Same cookie being used when using Awesomebar via different containers |
P1 |
RESOLVED |
| 1244470 |
Pinned tabs lost when closing+opening window while private window is opened. |
-- |
RESOLVED |
| 1245571 |
Access to the add-ons installed |
P1 |
RESOLVED |
| 1245578 |
nsCookieService is not shutdown-safe |
P3 |
NEW |
| 1246324 |
Carefully crafted spam forcing Thunderbird to display a remote/tracking image |
-- |
RESOLVED |
| 1246387 |
Use https for stub installer requests |
P1 |
RESOLVED |
| 1246491 |
Firefox 44 do not correct delete form search history on exit |
-- |
RESOLVED |
| 1246933 |
Unwanted attachments (Part 1.2.2) are sent for gmx accounts |
-- |
RESOLVED |
| 1249151 |
Ask every time cookies Disappeared |
-- |
VERIFIED |
| 1251222 |
Hide context menu in private browsing tabs when in the app switcher |
-- |
VERIFIED |
| 1251954 |
Thunderbird attaching files automatically |
-- |
RESOLVED |
| 1252998 |
"Forget" button does not clear Service Workers or their caches. |
P1 |
RESOLVED |
| 1253003 |
Clearing "Cached Web Content" does not clear Service Workers or their caches. |
-- |
RESOLVED |
| 1253005 |
Clearing "Offline Web Content and User Data" does not clear Service Workers or their caches. |
-- |
RESOLVED |
| 1253009 |
"Clear your recent history" does not clear Service Workers or their caches. |
-- |
RESOLVED |
| 1253027 |
Setting Firefox to clear all history on exit does not clear Service Worker caches. |
-- |
RESOLVED |
| 1253031 |
Impossible to clear data cached by Service Workers through any exposed UI. |
-- |
RESOLVED |
| 1254146 |
Active logins are no longer cleared when using custom history settings even if clear active logins is selected. |
-- |
RESOLVED |
| 1254666 |
"edit as new message" on a received message prefills the sender as the composing identity |
-- |
RESOLVED |
| 1254688 |
Resource Timing API is storing resources sent by the previous page. |
-- |
RESOLVED |
| 1254911 |
Consider to prevent location update from firing when the document isn't visible for desktop/mobile |
-- |
RESOLVED |
| 1255270 |
Favicon request doesn't timeout, or close when related window is closed |
-- |
VERIFIED |
| 1255923 |
ICE failure log sanitzation code has rotted |
P1 |
RESOLVED |
| 1257219 |
Consider unselecting or blurring out URL from Private Tabs during iOS multitasking |
-- |
VERIFIED |
| 1260360 |
Session Restore needs to honor "Clear history when Firefox closes -> Cookies" in a clean shut-down |
-- |
RESOLVED |
| 1264708 |
Written URL is remembered in web address bar in Private Browsing mode |
-- |
VERIFIED |
| 1265356 |
Downloads with blocked data should be deleted after some time |
P3 |
NEW |
| 1269461 |
edit as new message option keeps email adresss of the sender |
-- |
RESOLVED |
| 1269767 |
Push API detail remain after delete service worker registration |
-- |
RESOLVED |
| 1270793 |
Can't delete passwords |
-- |
RESOLVED |
| 1271249 |
Blob URL should not share across non-private and private windows |
-- |
RESOLVED |
| 1272679 |
Clear Recent History, 1 hour, left accessed site in places.sqlite |
P1 |
RESOLVED |
| 1276177 |
Security Disclosure: Malicious use of the phone's Gyroscope |
P4 |
NEW |
| 1276746 |
Thunderbird composer new mail with previous used attachment in 45.1.0 |
-- |
RESOLVED |
| 1278836 |
When using "Edit as New Message" the original "from" field is not replaced with my address, therefore I can send emails impersonating someone else. |
-- |
RESOLVED |
| 1279208 |
Favicon request doesn't timeout, or close when related window is closed (1255270 is not fixed yet) |
-- |
VERIFIED |
| 1279242 |
Logins are displayed in search results after they are all deleted |
-- |
RESOLVED |
| 1279558 |
The BCC option is being ignored and mails are sent as To (only using the Outlook.com SMTP server) |
-- |
RESOLVED |
| 1279720 |
Require "Search Google for <message text selection>" feature from message reader context menu to be opt-in (to avoid accidental privacy violations) |
-- |
UNCONFIRMED |
| 1280294 |
Session Manager can sometimes store Firefox Accounts Password in plain text |
-- |
RESOLVED |
| 1283067 |
Favicon request doesn't timeout or close when related window is closed (1255270 is not fixed yet) on Windows due to WindowsPreviewPreTab.jsm |
-- |
VERIFIED |
| 1284468 |
edit as new message |
-- |
RESOLVED |
| 1285003 |
Probe browser history via HSTS/301 redirect + CSP |
-- |
RESOLVED |
| 1286202 |
Files are sent without having attached to mail |
-- |
RESOLVED |
| 1286797 |
Latest Firefox on android doesnt clear history on exit when configures so |
-- |
RESOLVED |
| 1287952 |
Feature rqst: Same behavior for third-party content as for cookies in Firefox |
-- |
UNCONFIRMED |
| 1290481 |
Implement mitigations for opaque response storage in the DOM cache |
P2 |
RESOLVED |
| 1290515 |
Clicking escape button on login window is allowing to access Thunderbird without the password. |
-- |
RESOLVED |
| 1290732 |
Reader-mode leaks HTTPS URL through referer header |
-- |
RESOLVED |
| 1292655 |
Limit BatteryManager chargingTime/dischargingTime precision |
-- |
RESOLVED |
| 1293420 |
Should we disable mix-blend-mode because it can lead to a history leakage attack? |
P3 |
NEW |
| 1294110 |
Awesome bar unexpectedly performs search when mouse cursor on a search engine icon when enter is pressed |
-- |
RESOLVED |
| 1294438 |
Private browsing browser traces (android) in browser.db and wal file |
P1 |
RESOLVED |
| 1298116 |
To enhance privacy, don't reveal screen dimensions or window position |
-- |
RESOLVED |
| 1299454 |
Round Off Ambient Light Sensor event.value |
-- |
RESOLVED |
| 1300054 |
tracking protection (strict list) blocks bing maps v8 |
-- |
RESOLVED |
| 1301397 |
"Download Flash and Video" downloads in non-private window even when using it in a private window |
-- |
VERIFIED |
| 1301965 |
Private browsing navigated page leaked to non-private browsing tab back/forward stack. |
-- |
RESOLVED |
| 1302547 |
Allow users to fake WebPermissions |
-- |
RESOLVED |
| 1302552 |
Google Analytics tracking addition on Add-ons page |
-- |
RESOLVED |
| 1306050 |
History will not be deleted after FF is closed |
-- |
RESOLVED |
| 1307183 |
Privacy Locationbar |
-- |
RESOLVED |
| 1307739 |
Visual Studio 2015 C++ compiler inserts the telemetry code into binaries |
-- |
VERIFIED |
| 1308767 |
non removal of account names and passwords when deleting an account |
-- |
RESOLVED |
| 1310626 |
Don't make thumbnails of pages where the camera is in use |
P5 |
NEW |
| 1313580 |
Remove web content access to Battery API |
-- |
VERIFIED |
| 1314332 |
Block Web of TrusT (WOT) Add-on due to security and privacy issues |
-- |
RESOLVED |
| 1314555 |
mcafee extension is active even if the user has disable/uninstall it, because McAfee is injecting into extensions.ini |
P3 |
RESOLVED |
| 1315203 |
XSHM: Cross Site History Manipulation (information leakage) |
P3 |
NEW |
| 1315524 |
Clear sessionStorage when clearing cookies on clean shutdown |
-- |
RESOLVED |
| 1315662 |
deleting of SMTP-Account does not delete corresponding entry in password-manager |
-- |
RESOLVED |
| 1318070 |
keyword.enabled is half-broken, it's half enabled even when it's set to false |
P1 |
RESOLVED |
| 1318289 |
sessions are not cleared in the private window |
P1 |
RESOLVED |
| 1320465 |
Favicon is added to bookmark in Private Browsing mode |
-- |
VERIFIED |
| 1320481 |
thumbnails cache not cleared when "clear history when firefox closes" is set |
-- |
VERIFIED |
| 1320894 |
CacheFileIOManager::WriteInternal writes uninitialised padding bytes to disk |
-- |
RESOLVED |
| 1321219 |
Thunderbird ignores return receipt settings - always sends receipt |
-- |
RESOLVED |
| 1323669 |
Hide URL from process list in GNU/Linux |
-- |
RESOLVED |
| 1326041 |
asm.js fingerprinting in private mode |
-- |
RESOLVED |
| 1327649 |
Urlbar suggestions don't show some history items (no way to get rid of autofill by deleting suggestions) |
P3 |
RESOLVED |
| 1333186 |
Cannot deny camera/microphone sharing permissions individually |
P3 |
NEW |
| 1334111 |
EME: PersistentState should be disabled in private browsing mode |
P3 |
RESOLVED |
| 1334485 |
Tracking using intermediate CA caching |
P3 |
RESOLVED |
| 1334587 |
Work container tab forgets GitHub login after relaunch |
P1 |
RESOLVED |
| 1334776 |
Header name interning leaks across origins |
-- |
RESOLVED |
| 1336017 |
Provide option to block remote content for individual message (after manual un-block) and/or automatically block again after a certain (configurable) amount of time or at the end of the session |
-- |
NEW |
| 1339794 |
Cookies are not not cleared when exiting private browsing |
P1 |
VERIFIED |
| 1351308 |
Downloads are not cleared on exit |
P5 |
VERIFIED |
| 1354633 |
blank MediaError.message when resisting fingerprinting |
P2 |
RESOLVED |
| 1357733 |
The `devicelight` event allows information leaks. |
P3 |
RESOLVED |
| 1360294 |
Add ability for users to hide github link from their public profile |
-- |
RESOLVED |
| 1360823 |
Do not show websites rated for adults |
-- |
RESOLVED |
| 1372288 |
[meta] WebExtensions can be used as user fingerprint |
P3 |
NEW |
| 1380537 |
about:addons (Get Add-ons) triggers Google Analytics tracking in discovery panel |
P2 |
RESOLVED |
| 1380797 |
"Copy text to clipboard" in Troubleshooting Info does not honor "Include account names" checkbox |
-- |
RESOLVED |
| 1382708 |
Unable to manually clear recently closed tabs |
P3 |
NEW |
| 1383617 |
Simplify nsAddrDatabase.cpp by removing "deleted cards" table |
-- |
RESOLVED |
| 1385727 |
In SeaMonkey selected text from unrelated message is quoted when right-click replying to another message, cunningly with correct attribution line |
-- |
NEW |
| 1385883 |
Cannot delete history with IDN |
P1 |
RESOLVED |
| 1386252 |
Privacy discussion of PB mode |
P5 |
RESOLVED |
| 1387203 |
Thunderbird silently sent my private clipboard with email to a wide distribution list |
-- |
RESOLVED |
| 1389635 |
Caching HTTP GET response even though Cache-Control settings include no-store |
-- |
RESOLVED |
| 1391236 |
Unable to restrict saving entered keystrokes in the places.sqlite file's moz_inputhistory table (privacy issue) |
P3 |
NEW |
| 1391989 |
dev tools sends cookies from not private session in private mode |
-- |
RESOLVED |
| 1393012 |
Meeting accept sent from default mail account and not from the account the invite was sent to |
-- |
RESOLVED |
| 1393387 |
Some registry folders, values and data are not deleted after uninstalling Firefox |
P5 |
NEW |
| 1395819 |
Site can turn cam & hw light back on without permission after cam light goes out, if it keeps recording audio |
P2 |
VERIFIED |
| 1396224 |
>500kb clipboard data (and text selection on Linux) is written to the filesystem, even in private mode |
P2 |
RESOLVED |
| 1397509 |
Referrer policy bypass with srcdoc |
P3 |
RESOLVED |
| 1398229 |
"Save Link As..." on a link that requires auth doesn't work the same in a container tab |
P1 |
RESOLVED |
| 1398303 |
Local Storage not cleared by Clear Recent History |
-- |
VERIFIED |
| 1398414 |
Key :visited per origin (first-party-isolation / partitioning for :visited). |
P3 |
NEW |
| 1399780 |
Preloads ignore referrer polices |
P2 |
RESOLVED |
| 1400582 |
Deleting all history still leaves some traces that can be used to precisely track individual users. |
P3 |
RESOLVED |
| 1401359 |
Disable SharedWorker in contexts where storage is not available |
P2 |
RESOLVED |
| 1401362 |
Consider disabling BroadcastChannel in contexts where storage is disabled |
P2 |
NEW |
| 1404163 |
Mixed-content blocker should block <img crossorigin=> requests |
-- |
RESOLVED |
| 1405971 |
Webextension UUID leak via Fetch requests |
P3 |
NEW |
| 1406544 |
cookies sent along with query suggestions request. |
P3 |
RESOLVED |
| 1406647 |
Please do not ship the Cliqz addon (well-known adware in Germany) as experiment |
-- |
RESOLVED |
| 1406873 |
RSS feed message, keep the state of a message read even if we clean the navigation data when we close Firefox |
-- |
RESOLVED |
| 1408867 |
Privacy Issue: preconnect bypasses remote content block |
-- |
RESOLVED |
| 1409458 |
Privacy Issue: Replying to or forwarding an HTML e-mail with external content (e.g. images), may load this content without user notification. |
-- |
RESOLVED |
| 1410106 |
fingerprinting users in private window using web-worker + indexedDB |
-- |
RESOLVED |
| 1411708 |
TBE-01-012: RSS Local Path Leak via @-moz-document |
-- |
RESOLVED |
| 1411713 |
TBE-01-013: RSS Local Path Leak via cid: Parsing Bug |
-- |
RESOLVED |
| 1411719 |
privacy.resistFingerprinting leaking system time and date information |
-- |
RESOLVED |
| 1411748 |
TBE-01-007: "Reload Page" dialog runs Javascript with external attachment because we only disable JavaScript for nsIMsgMessageUrls |
-- |
RESOLVED |
| 1412081 |
(CVE-2017-16541) Proxy bypass caused by autofs on Mac, Linux |
P2 |
RESOLVED |
| 1412107 |
<link rel=preconnect> appears to bypass content policies |
-- |
RESOLVED |
| 1413868 |
proxy bypass on windows via smb |
P2 |
RESOLVED |
| 1416344 |
network.http.referer.XOriginTrimmingPolicy to above 0 or network.http.referer.trimmingPolicy==2 crashes tabs |
-- |
RESOLVED |
| 1418211 |
Video Download Helper downloads in Private Browsing getting shown after restarting firefox |
-- |
RESOLVED |
| 1418931 |
QuotaManager in sanitize.js is not origin-aware |
P2 |
RESOLVED |
| 1420653 |
DeviceId is persisted even if cookies are disabled, allowing persistent fingerprint |
P3 |
NEW |
| 1421226 |
Private mode theme stays after leaving private mode |
P2 |
RESOLVED |
| 1422482 |
OS username disclosure using downloads manager |
P3 |
NEW |
| 1422860 |
Privacy Issue: Replying to or forwarding an HTML e-mail with external content (e.g. images), and clicking on it, may load this content without user notification - take 2 |
-- |
NEW |
| 1423410 |
Swapping tabs exposes private browsing tab content |
-- |
RESOLVED |
| 1425187 |
Don't allow shield studies/experiments without any explanation in description what they do and without related Mozilla bug URL with more detailed information |
-- |
NEW |
| 1426702 |
rel=noreferrer is ignored in <a target="_blank"> leading to referer leakage |
-- |
RESOLVED |
| 1427244 |
Enforce privacy settings on next startup, when previous application close was due to a crash |
P3 |
NEW |
| 1428583 |
[privacy]Disable thumbnails if all open windows are in Private Browsing mode |
P2 |
RESOLVED |
| 1431329 |
Omit Fennec Media playback Notification when viewed in private browsing mode |
P1 |
VERIFIED |
| 1431634 |
Add option to remotely clear all browser data(on disconnecting device)when disconnecting a divice(other than current) using firefoxsync(accounts.firefox.com/settings) |
-- |
RESOLVED |
| 1432846 |
Self-update service worker to stay alive |
P2 |
RESOLVED |
| 1433637 |
Favicons are shown in Bookmarks Toolbar even if Firefox is configured not to show them |
-- |
RESOLVED |
| 1436432 |
Currently viewed webpage (even in Private browsing!) is shared to other devices via IOS Handoff |
P1 |
VERIFIED |
| 1437349 |
Detect if user install certain software with external protocol |
-- |
RESOLVED |
| 1437871 |
Release and Beta share granted runtime permissions |
P5 |
RESOLVED |
| 1442509 |
Encryption (S/MIME) does not prevent sending if all recipients do not have a certificate and account set to "required" |
-- |
RESOLVED |
| 1448305 |
Private browsing mode leaks site visits via cached favicons |
P1 |
RESOLVED |
| 1449225 |
Focus leaks history via cache entries unless manually erased by the user |
-- |
RESOLVED |
| 1449920 |
Clear private data doesn't clear IndexedDB data |
-- |
RESOLVED |
| 1454252 |
Please set beacon.enabled to false by default |
P2 |
RESOLVED |
| 1455644 |
local file information leak on Mac using .DS_Store file |
-- |
RESOLVED |
| 1455898 |
Complicated CSS effects and :visited selector leak browser history through paint timing |
P1 |
RESOLVED |
| 1457032 |
Consider not activating Web Extensions on private windows |
-- |
RESOLVED |
| 1458168 |
Mozilla can operate a DNS-over-HTTPS server |
-- |
RESOLVED |
| 1462851 |
Art. 7 (1) + Art. 21 (5) GDPR: Please only load and run Analytics scripts if navigator.doNotTrack is not 1 |
-- |
RESOLVED |
| 1464399 |
GDPR - Possibly illegal browser behaviour - Don't send any fingerprinting information to a website before receiving explicit user consent for this |
P2 |
RESOLVED |
| 1465812 |
When user delete an url from the address bar with "delete" key, url in the addresse bar should change accordingly |
P2 |
RESOLVED |
| 1468071 |
small followup to proxy bypass on windows via smb |
P3 |
RESOLVED |
| 1468087 |
IP Leak even after disabling WebRTC |
-- |
RESOLVED |
| 1468116 |
Icons from private browsing tabs on Fennec are stored in the disk cache |
P1 |
RESOLVED |
| 1468968 |
Firefox retains favicons with their respective urls after supposedly clearing history |
P1 |
VERIFIED |
| 1470174 |
"Clear private data on exit" does not delete icon cache (at cache/icons/) |
-- |
RESOLVED |
| 1471755 |
Data leak: don't send HTTP-Referer without consent, have a UI switch for default referer policy |
-- |
RESOLVED |
| 1472923 |
Detecting registered URI schemes leads to fingerprinting |
-- |
RESOLVED |
| 1474445 |
Unable to use :visited in compliance with accessibility guidelines |
P3 |
RESOLVED |
| 1483249 |
FireFox is storing sensitive data in the memory cache in an easily viewable format when Cache-Control headers set to no-cache |
P3 |
RESOLVED |
| 1483377 |
Use static array for sWhitelist instead of StaticAutoPtr |
P2 |
RESOLVED |
| 1484916 |
Firefox for iOS does not show an indicator for "passive" mixed-content |
P2 |
NEW |
| 1489853 |
keyword.enabled not honored with trailing colon for about: |
P3 |
NEW |
| 1493596 |
Screenshots of logged in pages show up on the New Tab page |
P3 |
REOPENED |
| 1493795 |
Add a maintenance task to cleanup orphan origins left over by third party apps |
P3 |
RESOLVED |
| 1496763 |
c-webrtc ALPN doesn't work |
P2 |
RESOLVED |
| 1498584 |
Unable to delete several history items under some circumstances |
P1 |
VERIFIED |
| 1502914 |
Clear private data is not working |
-- |
RESOLVED |
| 1506993 |
apkpure |
-- |
RESOLVED |
| 1512486 |
Firefox Library downloads view shows non-private downloads in a private window |
P2 |
RESOLVED |
| 1517520 |
Links clicked in Browser Toolbox in private mode are opened in normal mode, leading to the urls and data being stored with them forever in chrome_debugger_profile. |
P3 |
NEW |
| 1517714 |
SNI instead of ESNI (encrypted SNI) in response to HelloRetryRequest, TLS 1.3 |
P2 |
RESOLVED |
| 1519881 |
Geolocation Permissions are applied in private browsing sessions |
-- |
RESOLVED |
| 1521396 |
Paste event triggered on middle-clicking a link |
P1 |
RESOLVED |
| 1524076 |
Pasted recipient email address a@b autocompletes to more popular primary email address c@d |
P2 |
RESOLVED |
| 1525811 |
When keyword.enabled=false, do not provide search suggestions if no keyword is entered |
P3 |
RESOLVED |
| 1526134 |
Firefox Focus (iOS): Recovery of previous searches across app closure/Browser Clear |
-- |
RESOLVED |
| 1526387 |
CFR Addon Recommendations call remote AMO API before clicking "Install" |
P1 |
VERIFIED |
| 1528335 |
`InstallTrigger` and `mozAddonManager` leaking cookies in private browsing mode |
P1 |
VERIFIED |
| 1530132 |
Whitelisted site allows all cookies requested by site to be saved when blocking all cookies |
-- |
RESOLVED |
| 1534581 |
Exposed chrome:// resources allow browser version, OS, and locale detection |
P3 |
UNCONFIRMED |
| 1535004 |
Some data not successfully deleted after Firefox closes if modified with CCleaner |
-- |
RESOLVED |
| 1535235 |
Plaintext OCSP can leak server identity, even with ECH |
P5 |
RESOLVED |
| 1535950 |
On Linux the download URI is saved to GVFS/GIO metadata even in private browsing |
P2 |
RESOLVED |
| 1536382 |
Implement requestPermission() for DeviceOrientationEvent and DeviceMotionEvent |
P3 |
NEW |
| 1541399 |
Combined address bar continues to treat the address as search string after entering file: |
P1 |
VERIFIED |
| 1541450 |
"Forget about this site" should clear site certificate exceptions |
P2 |
RESOLVED |
| 1543897 |
Session Restore just restored a private window |
P3 |
NEW |
| 1544233 |
With DNS-over-HTTPS/TLS moving towards release and plans of being enabled by default, we should enable support for reading a user's hosts file |
P2 |
RESOLVED |
| 1545605 |
Forget about this site should not leave footprint on disk |
-- |
RESOLVED |
| 1546295 |
Forget about this site does not delete notification data |
P3 |
NEW |
| 1546296 |
Forget about this site does not delete service workers |
P1 |
RESOLVED |
| 1546969 |
Privacy leak in private browsing mode via downloading data |
P3 |
NEW |
| 1549349 |
communicate suggest_url https requirement change to developers |
P1 |
RESOLVED |
| 1549394 |
Potential privacy leak from Win10 keyboard autocomplete of data entered in Private Browsing |
P3 |
RESOLVED |
| 1551095 |
Closed tabs reappear when killing Firefox |
P2 |
RESOLVED |
| 1552638 |
Search engines suggestions shouldn't have shown in Navigation URL Bar, when Search Bar is separated in Address Bar |
-- |
RESOLVED |
| 1553003 |
Tracking and History Exfiltration with Alt-Svc on Firefox |
P2 |
RESOLVED |
| 1557015 |
Firefox focus — old search terms pop up after they are erased and app closed |
-- |
RESOLVED |
| 1557831 |
downloads that show a save dialog do not respect browser.download.manager.addToRecentDocs=false |
P3 |
RESOLVED |
| 1562279 |
Sometimes logging/signing data from Non-Private Window is preserved in new Private Window |
-- |
VERIFIED |
| 1562896 |
Accept event invitation: Reply wrongly sent from and confirmed for email associated with accepting calendar or TB default account instead of recipient/attendee email address (privacy leak!) |
P2 |
RESOLVED |
| 1563841 |
Impossible to clean last used bookmark folder in New Bookmark/Bookmarks/StarUI window |
-- |
RESOLVED |
| 1564096 |
reduce privacy implications of current IMAP/SMTP clientID implementation |
-- |
RESOLVED |
| 1564451 |
Camera remains active when the app is in background or the phone is locked |
P1 |
RESOLVED |
| 1564588 |
Deep-linking to attacker-created rooms on already-trusted WebRTC sites may give unprompted camera/mic access |
P2 |
VERIFIED |
| 1565374 |
Fingerprinting resistance against getUserMedia constraints doesn't work |
-- |
RESOLVED |
| 1568640 |
Disable FTP on Android |
-- |
RESOLVED |
| 1568911 |
2kb of cache returns after deleting from about:preferences#privacy -> Cookies -> Clear data... |
P3 |
NEW |
| 1579123 |
No warning when removing account files fails |
-- |
NEW |
| 1588439 |
Mailing lists should default to BCC |
-- |
RESOLVED |
| 1589074 |
Set referrer policy default to strict-origin-when-cross-origin |
P2 |
RESOLVED |
| 1590636 |
The manual config for setting up a new account has moved !! |
-- |
RESOLVED |
| 1591175 |
With keyword.enabled set to false specific strings in the address bar are still sent to a search provider |
P2 |
RESOLVED |
| 1594372 |
account setup should not send email address as parameter when over plain http |
-- |
NEW |
| 1601408 |
Enable security.mixed_content.upgrade_display_content (Upgrade all mixed content to https) |
P3 |
RESOLVED |
| 1602844 |
FxA ID is unhashed in telemetry on iOS |
P1 |
RESOLVED |
| 1604785 |
Exclude browser.fixup.domainwhitelist.* prefs from about:support |
P2 |
RESOLVED |
| 1605229 |
use Bing InPrivate search in Firefox's Private mode when Bing is set as default search engine |
P5 |
UNCONFIRMED |
| 1608359 |
Don't open TopSites on focus if top sites are hidden in the new tab page |
P2 |
VERIFIED |
| 1613157 |
Firefox cross-domain referer leakage with Referrer-Policy set to same-origin for media resource |
P3 |
RESOLVED |
| 1614315 |
Accept invitation: Reply sent from default account instead of recipient/attendee account |
-- |
RESOLVED |
| 1618896 |
Consider gathering telemetry like HTTP_PAGELOAD_IS_SSL separately only for the address bar |
P4 |
RESOLVED |
| 1623256 |
Page steals focus from doorhanger while editing details of a newly saved password |
P2 |
NEW |
| 1627499 |
Showing top site items/Recently visited items in Private Mode is inconsistent in Address Bar |
P2 |
RESOLVED |
| 1630410 |
Default Browser Agent has spyware behaviour |
-- |
RESOLVED |
| 1634952 |
Firefox Focus on Android: Clearing browsing data stops working from notification |
-- |
RESOLVED |
| 1639597 |
Persistent Private mode is not kept after Restart to update intervention is selected. |
P3 |
NEW |
| 1642623 |
User's search term is accidentally sent to ISP without user's consent. |
P3 |
NEW |
| 1642747 |
It's possible to screen-capture the next tab after tab close |
P2 |
VERIFIED |
| 1642943 |
Introduce a pref controlling post-facto dns resolution of single word hosts |
P2 |
RESOLVED |
| 1646262 |
exclude IP address from sent mail |
-- |
RESOLVED |
| 1646756 |
Private window in firefox for iOS persists IndexedDB after closing all the tabs |
-- |
RESOLVED |
| 1646875 |
Cleanup cmd_toggleReturnReceipt (Bug 1644345 followup) and stop discarding identity changes without asking (incl. Return Receipt) |
-- |
ASSIGNED |
| 1650511 |
URL remains in places.sqlite after deleting from bookmark (corrupt moz_origins) |
P3 |
ASSIGNED |
| 1656312 |
Console command history from Private Browsing session is not cleared |
P3 |
RESOLVED |
| 1657251 |
Favicon request in Fenix sends cookie and shares the value with private browsing mode |
-- |
RESOLVED |
| 1658881 |
[VG-VD-20-115] Leaking External URL protocol handler presence through image tags |
-- |
VERIFIED |
| 1663062 |
Confusing UI state with recipient pills and contacts side bar entries or attachments both showing active blue selection, causing privacy-violation of bug 1691842 (unintentional dual-drag messes up recipients) |
P1 |
RESOLVED |
| 1663987 |
Site Isolation enables timing attacks against partitioning across simultaneously open tabs |
-- |
NEW |
| 1666105 |
No visual indication for recipient pills of whether a typed address is in the Address Book |
-- |
RESOLVED |
| 1666655 |
URLs for most sites that are visited are logged to logcat |
P1 |
RESOLVED |
| 1670058 |
Support GPC / globalprivacycontrol.org Signal |
-- |
RESOLVED |
| 1678545 |
Full referrer URL exposed even from websites using strict referrer policies (e.g. "no-referrer" or "strict-origin-when-cross-origin") |
P2 |
RESOLVED |
| 1679518 |
Pasting an image from browser into composition silently defaults to linking and *not* attaching the inline image to the message |
P2 |
NEW |
| 1685508 |
Delete browsing data on quit not working. |
-- |
RESOLVED |
| 1691298 |
Private browser collects and retains searches. |
-- |
RESOLVED |
| 1691842 |
Dragging addresses from contact sidebar to a closed addressing label also moves selected pills |
P1 |
RESOLVED |
| 1693865 |
Firefox Focus on android password protection can bypass so easy |
-- |
RESOLVED |
| 1696632 |
User tracking (privacy violation) via cached HTTP 301 permanent redirects |
P3 |
UNCONFIRMED |
| 1700037 |
DNS.jsm/account setup should respect network.proxy.socks_remote_dns |
-- |
NEW |
| 1700465 |
saving har logs for tech support may expose your credentials and user is not warned about it |
P3 |
NEW |
| 1701313 |
Send button still remains disabled in spite of valid, non-pillified recipient address(es) for many text input methods. Should also prevent sending to autocomplete artifact "x >> max"@bar.com (privacy bug 632127) |
-- |
RESOLVED |
| 1704110 |
Browser Tracking through Preflight Cache |
-- |
RESOLVED |
| 1704390 |
Adding or removing an address from a mailing list does not update the list pill in the recipient area of the compose window |
-- |
RESOLVED |
| 1705068 |
Private Browsing not respected for search suggestions |
-- |
VERIFIED |
| 1707801 |
Implement aggressive enforcement option for limit of non-BCC Recipients (public bulk mail prevention) |
P3 |
RESOLVED |
| 1708766 |
login form info saved despite all login info save options disabled |
-- |
RESOLVED |
| 1709560 |
Explore not showing *inline* autocomplete suggestions when a full new email address *@* is entered (prevent error-prone, unwanted autocompletion) |
-- |
NEW |
| 1709799 |
Recipient autocomplete stubbornly prefers primary email address even if search word (typed fast or pasted) matches only the additional address on a card |
P3 |
RESOLVED |
| 1711084 |
Scheme flooding technique for reliable cross-browser fingerprinting |
P2 |
NEW |
| 1714185 |
navigator.oscpu returns "Linux x86_64" even if privacy.resistFingerprinting is enabled |
-- |
RESOLVED |
| 1714519 |
After collapsing and re-expanding composition's attachment pane with several attachments, vertical pane size reduced to 1 line, no scrollbar |
P3 |
RESOLVED |
| 1714941 |
Old history not displayed in "Older than 6 months" library view |
P3 |
RESOLVED |
| 1716174 |
Thunderbird should not include User Agent string with sender's OS and mail client details in every outgoing message (privacy concern) |
-- |
RESOLVED |
| 1721904 |
Page thumbnails from private mode tabs are kept in the cache after a crash |
P2 |
RESOLVED |
| 1723281 |
Fast query of registered URL schemes through XMLHttpRequest for system fingerprinting |
P2 |
RESOLVED |
| 1724080 |
TCP connection made over port 80 with HTTPS only enabled |
P2 |
RESOLVED |
| 1729774 |
Traffic analysis vulnerability of Firefox DNS over HTTPS Implementation |
P2 |
RESOLVED |
| 1730194 |
Prevent Copy button to send information to Cloud Clipboard and Clipboard History on Windows |
P1 |
VERIFIED |
| 1730434 |
FIDO2/WebAuthn privacy leak through a timing attack using silent authentications. |
P1 |
RESOLVED |
| 1730797 |
Using capped, unpartitioned thread-pools for cross-site and / or cross-profile communication |
P3 |
NEW |
| 1731713 |
[meta] Total Cookie Protection Rollout |
P1 |
RESOLVED |
| 1732553 |
Dragging unselected contact B from the new Address Book drops selected contact A instead (mail.addr_book.useNewAddressBook=true) |
P2 |
RESOLVED |
| 1733033 |
Bookmarked link shows as "visited" even after browsing data was cleared |
-- |
RESOLVED |
| 1733912 |
"Do not send a response" does send response on invitations after selecting Gmail online calendar from `Select Calendar` prompt (vs. local calendar with same email) |
-- |
NEW |
| 1735212 |
Support GPC on workers |
-- |
RESOLVED |
| 1742694 |
dom.push.userAgentID is displayed on about:support: Is this safe or does it allow stealing private push notifications of other people when about:support is publicly shared? |
-- |
RESOLVED |
| 1742707 |
Default button on dialog widget triggers even when modifier keys are used, but should react to plain `Enter` keypress only |
P3 |
NEW |
| 1742946 |
Catch-all identity/email address leaks into guest list when accepting invitation - should honor catch-all and use the invited email address |
P2 |
NEW |
| 1743305 |
Pure CSS browser fingerprinting and cross-origin CSS 'supercookie'. |
-- |
UNCONFIRMED |
| 1745180 |
DNS Prefetch security issue: Information leak -- bug reintroduced |
-- |
RESOLVED |
| 1745593 |
Twitch audio briefly plays on browser start when the site is pinned in about:home |
P3 |
REOPENED |
| 1748503 |
Detecting whether a URL is blocked (by Tracking Protection or an extension) or not through importScripts |
P3 |
VERIFIED |
| 1749126 |
Jpg not erased in %tmp% |
P2 |
RESOLVED |
| 1749129 |
Side-channel attack can deanonymize users (potential risk to journalists and activists) |
P5 |
NEW |
| 1750981 |
In the Firefox mobile share menu, allow me to hide / remove apps |
-- |
RESOLVED |
| 1751114 |
Firefox for iOS shows previously closed private tabs for a fraction of a second when opening new private browsing tabs |
P4 |
RESOLVED |
| 1751678 |
Detecting cross-origin redirects using the performance API |
P3 |
VERIFIED |
| 1752396 |
Temporary file creation moved from /tmp/mozilla_${USER}0 to /tmp. Potential security risk |
-- |
VERIFIED |
| 1753242 |
thunderbird 91.5.0 writes attachments to /tmp readable to everyone |
-- |
VERIFIED |
| 1754171 |
Resource Timing values leak opaque response redirect status |
P3 |
RESOLVED |
| 1758660 |
Received mail reveals default identity/mail-address |
-- |
UNCONFIRMED |
| 1760674 |
Utilizing CSS variables caused a browser behavior that leaks the information on visited links |
-- |
VERIFIED |
| 1763950 |
EXIF metadata not stripped from JPG group |
-- |
RESOLVED |
| 1768639 |
Bookmarks sidebar folder opening state is shared/stored from private windows (persisted after Firefox restart) |
P5 |
NEW |
| 1774115 |
Ctrl+Shift+T brings up deleted history |
-- |
RESOLVED |
| 1774739 |
Change string for Total Cookie Protection in ETP Standard Mode under Preferences |
-- |
VERIFIED |
| 1774955 |
Can't delete urlbar search result any more since Firefox 55 |
P5 |
RESOLVED |
| 1780842 |
screen recording disabled in incognito mode, still leaking sensitive information in the address bar. |
P3 |
RESOLVED |
| 1787034 |
The notification permission granted in normal browsing mode also applies to private browsing |
P2 |
VERIFIED |
| 1791611 |
Allow specifying an address type (Bcc) for a mailing list |
-- |
RESOLVED |
| 1791659 |
Implement `Enforce Bcc` checkbox with strict behavior for mailing lists |
-- |
NEW |
| 1792537 |
Search in address bar cannot be fully disabled |
P3 |
RESOLVED |
| 1793615 |
`Copy` context menu of a link in PDF viewer is enabled without text selected and does nothing, like `Paste`. `Copy link` is missing. |
-- |
NEW |
| 1794508 |
`GetStorageAccess() == ePrivateBrowsing` in ServiceWorkersEnabled() does not always detect private browsing mode |
P1 |
VERIFIED |
| 1795118 |
mail.compose.warn_public_recipients fails for nested mailing lists |
-- |
NEW |
| 1796970 |
Private download progress is shown on the non-private Windows taskbar icon |
P5 |
RESOLVED |
| 1797061 |
Implement `Write > To | Cc | Bcc` submenu for selected mailing list or multiple selection in address book |
-- |
NEW |
| 1799356 |
Adding a contact's secondary email address to a Mailing List adds the primary/default email address instead |
-- |
NEW |
| 1801134 |
Curious websites can obtain a (cryptographically) unique identifier about the used Android device. |
P3 |
RESOLVED |
| 1807753 |
URLs entered in the address bar are leaked to search providers |
-- |
NEW |
| 1810358 |
Android Mozilla Screenshot Prevention Bug |
P5 |
NEW |
| 1813375 |
Session cookies are not removed on session end; session restore resurrects them |
-- |
RESOLVED |
| 1819788 |
When replying to one of several emails from the same sender, it links to the first email in the series, not the intended specific email. |
-- |
RESOLVED |
| 1821112 |
QuickSuggest may be bypassing maxRichResults? |
P3 |
VERIFIED |
| 1826842 |
Visiting discord.gg invite link bypasses private browsing due to its local server |
P3 |
NEW |
| 1827837 |
Some entries may persist as tags when the original bookmark was removed |
P2 |
NEW |
| 1828374 |
miss matching cache in Firefox could be result in network traffic hijacking or information leaking |
P3 |
UNCONFIRMED |
| 1830070 |
about:blank doesn't properly resist fingerprinting. |
-- |
RESOLVED |
| 1831879 |
The "Save image" and "Download link" context menu items do not have a download confirmation prompt like other browsers, making it possible to leak private tabs by accident |
-- |
NEW |
| 1839046 |
Link preview in iOS cannot be disabled |
-- |
UNCONFIRMED |
| 1839230 |
Firefox 114 "Clear History" does not clear download history |
P3 |
NEW |
| 1839464 |
"Block all cookies" bypass for localstorage using about:blank iframe, plus document.cookie weirdness |
P2 |
VERIFIED |
| 1839479 |
Permissions preserved between Private Browsing sessions (e.g. HTTPS-only mode exceptions) |
P3 |
NEW |
| 1840265 |
Malicious WebExtention can leak history using captureVisibleTab and <all_urls> |
-- |
RESOLVED |
| 1841429 |
Firefox 115 Bookmark Toolbar - Firefox connects(preload) with a right click to web page |
P3 |
NEW |
| 1842030 |
After closing the last Private Window, context is not always reset/cleared... |
P2 |
RESOLVED |
| 1843046 |
push notifications saved to disk in Private Browsing mode (Toggle off push notifications in Private Browsing mode) |
P2 |
VERIFIED |
| 1844771 |
'Remove from History' menu item/command doesn't work on Adaptive History results |
P2 |
RESOLVED |
| 1849186 |
Browsing history leaked to syslogs via GNOME |
P1 |
RESOLVED |
| 1852277 |
Audit Web APIs for Hardware Acceleration |
-- |
NEW |
| 1853005 |
Malicious File Downloads via detecting header differences between the <embed> Tag and "save video" context menu item |
P3 |
NEW |
| 1862616 |
Additional text can be inserted in the clipboard result link |
P3 |
VERIFIED |
| 1868814 |
Pressing ⌘Return in the address bar doesn't open a new tab in the current container |
P3 |
NEW |
| 1872360 |
Deleted email metadata remains in msf files |
-- |
NEW |
| 1872607 |
keyword.enabled suggests to execute a search if the typed string ends with * |
P3 |
NEW |
| 1875313 |
Spoof English is ignored in number validation |
P3 |
RESOLVED |
| 1880634 |
MozTogglePictureInPicture event is visible to web content |
P3 |
NEW |
| 1883633 |
Store the exposable (non-uripass) URI in the database for history and favicons |
-- |
NEW |
| 1884361 |
No clearing of cookies on the site mail.ru |
-- |
UNCONFIRMED |
| 1892524 |
Mv3 add-on's request to always access a site is persisted even if requested wrt a site in Private Browsing |
-- |
NEW |
