FF keeps form data post crash/kill... how to stop this, we cant have it keeping form data in a crash (PCI/PAN data vulnerability)
Hi,
We have been testing FF as we need to meet PCI requirements and from what we can tell FF will keep form data post it crashing (or killing it) in task manager.. and when restarting it loads the last page and shows data that was entered..
we fear that FF storing this data in a file... if it is and it's in plain text a hacker could get that file and if it had Credit Card data in it, well that's bad for PCI requirements.
Does it write the data to a file? Is the data in plain text? - If so: where is this kept? can we disable it? How long is it kept?
Thanks Shane Weddle
所有回覆 (2)
hi, as a starting point you could refer to http://kb.mozillazine.org/Session_Restore. do you still have particular questions after that?
Take a look in your sessionstore-backups folder. You can open your current Firefox settings (AKA Firefox profile) folder using either
- "3-bar" menu button > "?" button > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
In the first table on the page, click the "Show Folder" button to launch the folder in Windows Explorer.
Scroll down and double-click into the sessionstore-backups folder. Your open pages, as well as a number of previously visited pages in open and closed tabs, are saved in these files:
- recovery.js: the windows and tabs in your currently live Firefox session (or, if Firefox crashed at the last shutdown and is still closed, your last session)
- recovery.bak: a backup copy of recovery.js
- previous.js: the windows and tabs in your last Firefox session
- upgrade.js-build_id: the windows and tabs in the Firefox session that was live at the time of your last update
Note: By default, Windows hides the .js extension. To ensure that you are looking at the files I mentioned, you may want to turn off that feature. This article has the steps: http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions
Firefox has a user preference which you cannot control from the server application which determines the extent to which the session history file will contain site cookies and form data in addition to the page's URL. You can experiment with this setting and issue recommendations or requirements accordingly:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste sess and pause while the list is filtered
(3) Double-click the browser.sessionstore.privacy_level preference and enter the desired value:
0 => Save extra data for all sites 1 => Save extra data for HTTP sites but not HTTPS sites 2 => Do not save extra data for any sites
You might also look at the anti-caching options in this support article to see whether HTTP headers combined with using POST to load the form (not just to submit the form), bypasses saving form data: https://developer.mozilla.org/Firefox/Releases/1.5/Using_Firefox_1.5_caching