Privacy and security concerns, questions
It was pointed out to me that Firefox has geolocations set in the about:config settings. So I checked and indeed, when i do a search for "geo" in the about:config window I get two hits: geo.enabled - default - boolean - true geo.wifi.uri - default - string - https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%
I have location services disabled completely in OS X Mavericks and the System Preferences > Security & Privacy > Privacy shows no mention of Firefox asking for access to my geolocation. With this seting set to "True" can Firefox still collect some or any of my geolocation through other means like IP etc?
No fan of Google either, will that second setting contact Google to transmit any of my geolocation?
I was also told that having multiple tabs open in Firefox enabled the websites in those tabs to get information from eachother. For example if I am in my webmail on one tab, another website in another tab can 'see' or 'know' this somehow, is this true? If so, what are the security/privacy concerns with this or how far can a website go to collect info from other tabs?
I am here to verify these things before I pass this information on to others.
Thank you for your help in advance.
All Replies (3)
Good questions.
(1) Geolocation
Firefox has the option to tell websites your location, but you will be asked to approve that. Mozilla has a FAQ here with lots more information: Mozilla Firefox Web Browser — Geolocation in Firefox — Mozilla
(2) Inter-tab communication
Individual tabs work in basically the same way that separate windows work, which is that tabs or windows opened independently of one another are invisible to one another. But... When multiple tabs contain resources from the same server, whether it's MySocialSite or ThatAdNetwork, the server can learn which pages you opened and at what times, and depending on the scripts in the page, might learn when you closed or left that page (those look the same from the scripting perspective).
This is true of all browsers, by the way.
So, if you open two sites independently (i.e., one window or tab does not launch the other), and they pull in no resources from a common server, then those two sites can't know about your visit to the other one. But in other scenarios, which are increasingly common on the web, the two sites might be able to learn a little more.
What about private browsing? If you open one site in a regular window and another site in a private window, then the situation changes, because in the private window, the common server would not have access to the cookie it set in the non-private window and couldn't link your two visits together. Currently Firefox allows those two separate sessions to run simultaneously: your non-private windows share one set of cookies, and your private windows share another. Someday you may be able to completely isolate individual pages.
I may have gotten off track here. Please post back with your follow-up questions.
Thanks for your reply tscher2000. Firefox has never asked me for location info so I tested this with the help of this website (and above mentioned settings in about:config at their defaults) http://source.tutsplus.com/webdesign/tutorials/008_location/index.html
The options were Always share, never share and not now. When I set this to "Never share" and go back to about:config, the geo.enables is still set to "True". Why would this not be disabled as I said "Never Share"? It make ssense if it's website independent but should there not be an option in Privacy settings to disable it completely for those that want to?
I manually set the geo.enabled to "False" and changed the googleapi link to localhost (http://127.0.0.1) and when I return to that test website I immediately see a message "Sorry your browser doesn't support the Geolocation API". So manually changing it definitely disables the geolocation API and rules out any connection to Google. For all of those that want geolocation disabled permanently this should be as simple as checking a box in the Privacy settings.
During all this the settings I made in OS X were not altered. Even though I set location services to be disabled, firefox did not care, OS X did not ask for permission on behalf of firefox or anything. So firefox can bypass the OS X settings it seems? Safari does not allow geolocation with the OS X settings disabled and once enabled it will ask for confirmation because the OS tells it to do so.
When it comes to multiple tabs having the ability to communicate with eachother what you say makes sense. After all the cookies and cache are in one central location. Unless I want to make my browsing experience a nightmare it seems there is no way around this, perhaps in future versions each site (tab / window) can be sandboxed with it's own location for cookies and caches like you mentioned private browsing does now.
Thanks for the feedback!
Diubah
Hi JustChecking, due to high traffic here, feature suggestions tend to get lost. You might want to propose the additional checkbox using the Input site:
Help > Submit Feedback