can a website see from which folder firefox uploads a file?

7 respostas [Última entrada]
GNUser
Desconectado
Joined: 07/17/2013

When using webmail or a forum or something like that, we can use an upload feature to send a file from our pc to the website. when we do so, the full path becomes visible in the "upload from" window in those pages. I was thinking, could it be seen by the site? either directly or using a javascript attack to record the temporary input in the said window. is that possible?

GNUser
Desconectado
Joined: 07/17/2013

If anyone has info on this would be greatly appreciated.
Thanks.

Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

This document describes some of the most common Firefox sandbox setups
https://firejail.wordpress.com/documentation-2/firefox-guide/

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

I see no point in researching this. Everything I download and upload goes to ~/Downloads , which is indeed one of the very few folders whitlested in my bloatafox firejail profile.

GNUser
Desconectado
Joined: 07/17/2013

Actually, wrong.
If the folder from where you make an upload is stolen, it will give away your account name. Let's imagine you have made a new account in your Trisquel machine, called "2sexy4u" but you are sending a file to a muslim church requesting membership. They could, based on the account name realize you are a sexy person and refuse you.

Of course I am kidding with the example given, but it still stands that the account name (as well as the specific location of the folder) is up for the taking. Is it a possible attack?

Thanks

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

Well, first of all I don't do anything illegal on Internet. Second, my user name is 'gnu', it always has been and always will be. No need to hide it, on the contrary I am very proud of my user name. :P

I can see how this can worry you though. I imagine if this was the case, if it was possible for a website to see the path then there would be a warning somewhere about this on the torproject.org website. Never allow javascript btw. Javascript can and in some cases **will** fingerprint your hardware almost uniquely.

I might actually consider changing my user name to 2sexy4u and I might also consider going full Muslim, I'm very bored these days.

I see your point, I don't know, I guess it's impossible. How about asking this question to someone competent? A tor dev or something?

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

I'll leave it as it is coz editing won't benefit mucho as mailing list and shit.. but re-reading "first of all I don't do anything illegal on Internet." comes out as very suspicious. Isn't the first thing a drunk man would comment 'I am never drunk'? Oh shit, now they know, close everything, the plan is over, 'vamoose with great importunity' :D

Anyway I just spend some time researching this and this is what I found ->

https://superuser.com/questions/1031501/are-full-paths-kept-private-by-firefox-or-are-they-disclosed-to-websites

GNUser
Desconectado
Joined: 07/17/2013

Thank you for the useful link! Another link inside that page stated that javascript could really be used to discover the full path, but as long as there is no javascript involved, it should be impossible.
Which I think is the way it should be! ;)

Thanks.