BandHeight
join:2004-08-30
Portland, TX
| FireFox / Mozilla HTTP Headers: X-Moz
After getting back to this topic:
»FireFox 2.x - Bookmark Properties Accesses Website
after a few days of neglect, I discovered that the Live Titles functionality, aka microsummaries, sends an HTTP header (X-Moz: microsummary) as part of the request:
»developer.mozilla.org/en/docs/Mi···requests
quote:
Firefox includes the X-Moz request header with these requests. It sets the value of the header to the string microsummary. Thus, to differentiate requests initiated manually by users for the purpose of viewing a web page from those initiated automatically by Firefox for the purpose of summarizing that page, check for the presence and value of the X-Moz request header.
If the X-Moz header is present, and its value is microsummary, then the request is a microsummary-related request. Otherwise, it is a user-initiated request.
So, not only does the functionality connect to a website to download content simply by checking bookmark properties, it also alerts the remote server that you have the site bookmarked.
Although there is no ability to disable this behavior via FF, armed with the header information, it was simple enough to use Proxomitron to kill all outgoing connection attempts where the "X-Moz: microsummary" header is present.
By the way, the FireFox prefetch functionality also uses a special header (X-Moz: prefetch), but I don't use Proxo for that as prefetching can be turned off in About:Config.
I don't rank this high as a security issue, but I prefer not to have the browser making requests and sending specialized information along with the request without being able to control it.
Thanks. |
|
SUMware
Premium
join:2002-05-21
1 edit | Good info. Thank you.
Here's the Proxo header filter I wrote:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "X-Moz: microsummary (Out)"
Match = "*" |
|
BandHeight
join:2004-08-30
Portland, TX
2 edits | You're welcome SUMware.
However, I took a different approach. Your code (at least in minimal testing) simply removes the "X-Moz: microsummary" header. It still downloads the content. If all you wanted was to prevent the server from seeing whether you had the site bookmarked, this is adequate.
However, my goal was to completely kill the connection so that I could check Properties without having FF connect to the site at all. There are several ways to achieve this depending on, among other things, which config set you are using, but here is what I wrote for my Sidki set:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "X-Moz: Microsummary"
Match = "*microsummary*"
Replace = "$RDIR(http://local.ptron/killed.gif)"
Edit: spelling |
|
SUMware
Premium
join:2002-05-21
1 edit | Good idea.
I use Sidki's fine config set, too.
So I'm going with your filter.
Not your fault - but last line doesn't display correctly here. It should be:
Replace = "$RDIR(h t t p://local.ptron/killed.gif)"
without spaces between the letters 'http'.
Thanks again.
[edit: corrected my sloppy spelling & punctuation] |
|
BandHeight
join:2004-08-30
Portland, TX
| said by SUMware  :Not your fault - but last line doesn't display correctly here. It should be Replace = "$RDIR(h t t p://local.ptron/killed.gif)"without spaces between the letters.'http'. Thanks again. Yes. The URL was truncated by the Forum software, and I didn't notice that. Thanks for pointing that out. |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to BandHeight
quote:
I don't rank this high as a security issue,
That's because it's a privacy issue, not a security one. 
quote:
Although there is no ability to disable this behavior via FF
Seems funny there wouldn't even be an entry in about:config for it.  Might do to check mozillazine to see if it's been reported. Digging through bugzilla can be a pain.
--
Think outside the fox...Seamonkey |
|
BandHeight
join:2004-08-30
Portland, TX
1 edit | said by sivran : quote:
I don't rank this high as a security issue,
That's because it's a privacy issue, not a security one. Likely true. But in my scheme of things, privacy is a subset of security. And I like to keep my privacy secure.
said by sivran : quote:
Although there is no ability to disable this behavior via FF
Seems funny there wouldn't even be an entry in about:config for it. Might do to check mozillazine to see if it's been reported. Digging through bugzilla can be a pain. I've looked.
Besides, in my first post on the subject, I linked to a post which said there was no way to change the Live Titles / microsummaries behavior in the bookmark properties. The author of that post was Myk Melez, and based on my search of his name at the time, I find him to be a credible source. From his web site:
»www.melez.com/mykzilla/
quote:
My primary responsibility for Firefox 2 was to implement support for microsummaries. It was a large task, and I couldn't have done it without significant assistance from a number of other folks.
I'll take his word for now. If you see that something has changed since his post dated 11/7/2006 stating that there was no way to turn it off, let us know.
Edit:
duplicated words |
|
