Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firefox information disclosure caused by screenshots of recently used websites

With my web application I've noticed that on the "New Tab" page it shows a series of my recently view websites with screenshots.

The problem here is that some of these screen shots show sensitive information from my web page.

Is there a way to block Firefox from taking screen shots of my web application in particular without requiring browser configurations (in my website code)?

I believe chrome has a similar feature, I would like to block it as well.

like image 590
jonfriesen Avatar asked Dec 06 '12 17:12

jonfriesen


2 Answers

Perhaps you could set the cache-control header. This would tell the browser to make all possible efforts not to save the page on the user's computer.

Cache-control: no-store

http://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Avoiding_caching

Sadly, this would be a performance hit since the user would need to pull down each page entirely for every call they make.

like image 184
Dan Avatar answered Nov 16 '22 03:11

Dan


[UPDATED]

Short answer: No.

Long answer:

This clearly goes beyond the scope of HTML that deals with presentation of the content within the browser's chrome. Here's an example why it there isn't such an option supported by browsers as yet.

Consider browsers that remember what was types in text-fields and thereby provide auto-complete functionality when the user starts typing into a text-field having the same/similar class names/IDs.

Now Gecko browsers came up with the autocomplete="off" attribute to let the web-designer control the presentation of the form. So while browsers may come up with ways for you to manage the presentation of the data on the web-browser there isn't a way to manage the presentation of the page beyond the browser's chrome (portion of browser used to display the page).

For clarification, one can refer to the formal definition of HTML here.

Now that HTML has been ruled out, lets look at ECMA script. The ECMA script determines what Javascript can and cannot do.. there are different implementation of this but ultimately the functionality remains more or less the same in order for the implementations to be ECMA compliant. Looking at the ECMA functionality it confirms that Javascript will not do more than access cookies and issue functions to indirectly control the browsers history.

These screenhsots are taken by the browser and cached on the local disk. They are cached and accessible using a link as follows: moz-page-thumb://thumbnail?url=<url encoded>, eg. moz-page-thumb://thumbnail?url=http%3A%2F%2Fstackoverflow.com%2F

Disclaimer: The following conclusion is based on my understanding for which I cannot provide any references. HTML or Javascript will definitely not help you here; browser specific add-ons would be the solution. Webdesigners should not be able to control the usage of the web-content once it reaches my machine, as that would infer invasion of privacy.

like image 1
Kent Pawar Avatar answered Nov 16 '22 02:11

Kent Pawar