Closed Bug 87388 Opened 24 years ago Closed 24 years ago

third party cookie blocking doesn't work when "Enable cookies for the originating Web site only" is set

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: mozilla.org, Assigned: morse)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(4 files, 2 obsolete files)

this page sets cookies
48.99 KB, text/html
Details
test case for setting third-party cookies
203 bytes, text/html
Details
captured traffic
6.18 KB, text/plain
Details
Same patch but with nsXPIDLCString per Brendan's request
4.71 KB, patch
brendan
: review+
brendan
: superreview+
brendan
: approval+
Details | Diff | Splinter Review
Using 2001062209 Mac binary on Mac OS X (via Classic), Mozilla accepts third-party cookies even if "Enable cookies for the originating Web site only" is set. To reproduce: 1) Create a new profile. 2) Edit->Preferences. Set cookie preferences to "Enable cookies for the originating Web site only" 3) Visit http://www.nytimes.com/ 4) Tasks->Privacy and Security->Cookie Manager->View Stored Cookies 5) Verify that you now have third-party cookies from bigcharts.com and centrport.net. The img tags are not enclosed within an iframe, so this is not the same as bug 67447.
Unfortunately many sites get around the third-party cookie blockage by doing redirects. A redirect is not considered as a third party. And we don't want to block cookies from redirected sites because that would have severe consequences. I don't know if that is what is going on at the nytimes site, but it could very well be. And in that case this bug report is invalid. So I'm closing this out. But if you can determine that this really is a third-party cookie and not a redirected cookie, then please reopen.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
I assume by redirects you mean that the HTML source points to an image that is stored on a same-domain server, which redirects you to a third-party server when you request the image. That does not appear to be the case here, so I am reopening this bug. View->Page Source shows that the HTML source of the page points to images hosted on charts.bigcharts.com and mds.centrport.net. If you visit those foreign links by themselves, the same cookies get set.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
No, I wasn't referring to content on the page that is redirected. I was referring to an entire page that is redirected. For example, if your http request specifies that you want to go to www.firstsite.com and the http reply that you get back is a redirect to www.secondsite.com, then a redirect has occured. This typically occurs when a website has moved. And in that case you still want secondsite to be considered as the first party and not the third party. But marketing sites have used this as a loophole to set third party cookies even though you are blocking such cookies. Specifically they do the following: 1. You send out a request to visit www.nytimes.com 2. www.nytimes.com send back a redirect to www.doubleclick.com 3. doubleclick is now the first-party site and goes and sets a cookie 4. doubleclick knows that nytimes was the referer so it now does a redirect back to that site 5. now nytimes.com puts up its webpage. The way to prove that this is what is happening is to use a sniffer. But I'm almost certain that this is what is going on here because it is a standard trick that websites are now using to circumvent the block-third-party-cookie preference setting.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → INVALID
I don't think these cookies are being set through redirects. I don't have a sniffer, but "lynx -trace http://www.nytimes.com/" doesn't come up with any redirects in the trace log. There is evidence the cookies are NOT being set by redirects, and so far no one has confirmed that this is being done with redirects. If you are not willing to investigate, can you at least leave this bug open and "unconfirmed" so someone else can investigate, instead of just declaring it "invalid" out of hand?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Attached file this page sets cookies
On my setup (2001062209 on Mac), the stripped-down test case (second attachment) still sets third-party cookies when served from bugzilla.mozilla.org.
This appears to be a networking problem. I too have a simplified test case -- it is at http://people.netscape.com/morse/bug.htm Unfortunately this won't be visible outside the netscape firewall until early tomorrow (Sunday) morning. In the meantime Netscape employees can get to it from inside the firewall at http://peoplestage/morse/bug.htm What is happening is that the bug.htm content contains an image tag for an image on mds.centrport.net. The following traffic occurs when bug.htm is requested: 1. Request for bug.txt 2. Response contains content including image tag for mds.centrport.net 3. Request for file on mds.cenrport.net 4. Response contains set-cookie and a redirct to another file on same server (The complete traffic report is attached.) In step 4 the set-cookie is causing a cookie to be set. The cookie-setting code is in the SetCookieStringFromHTTP routine in nsCookieService.cpp. One of the parameters passed to that routine is aFirstURL. That should be the URL for bug.htm but instead is the URL for the file on mds.centrport.net. So now we need to see where aFirstURL is being set. That is occuring in the calling routine which is OnExamineResponse in the file nsCookieHTTPNotify.cpp. Specifically it happens on line 220 which reads: rv = aHttpChannel->GetURI(getter_AddRefs(pFirstURL)) So the GetURI is returning the wrong URL. That is why the cookie module does not recognize this as a third-party cookie. Reassinging to networking.
Assignee: morse → neeti
Component: Cookies → Networking: HTTP
QA Contact: tever → benc
Attached file captured traffic
this is not a networking bug! GetURI returns the URI used to create the channel. perhaps what you need is GetOriginalURI?!? -> morse
Assignee: neeti → morse
Component: Networking: HTTP → Cookies
When block-third-party-cookies was implemented, I was told by the networking people that the call I needed to make was GetURI and not GetOriginalURI. If an access is made to site A and site A does a redirect to site B and site B attempts to set a cookie, will GetOriginalURI return A or B? If it returns A, then it is the wrong thing for the cookie test to be using.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac System 9.x → All
Hardware: Macintosh → All
Target Milestone: --- → mozilla0.9.3
If an access is made to site A and site A does a redirect to site B and site B attempts to set a cookie, GetOriginalURI will return site A, GetURI will return site B.
Then that's why I needed to use GetURI and not GetOriginalURI. Now when access is made to site C and site C includes an image tag for site D, and site D attempts to set a cookie, what will the two routines return? In this case I need to get back C and not D.
As a user, I think of a third-party cookie as any cookie whose domain doesn't match the URL currently being shown in the URL bar of the window. Does that translate acceptably into the implementation, and if so, isn't there some call that will return that URL?
morse: when access is made to site C and site C includes an image tag for site D, and site D attempts to set a cookie, GetOriginalURI will return site D. GetURI may return site D or some other site if the image tag results in a redirect.
nav triage team: Marking nsbeta1+, nsBranch, and p2
Keywords: nsbeta1+, nsBranch
Priority: -- → P2
Based on Darin's two responses, neither GetURI nor GetOriginalURI are satisfactory for determining if we have a third-party cookie. Is there some other call that I can use, or can a new API be added to return what I need. Basically I need the following: case 1: If an access is made to site A and site A does a redirect to site B and site B attempts to set a cookie, I need to get site B. case 2: If an access is made to site C and site C includes an image tag for site D, and site D attempts to set a cookie, I need to get site C. In summary, I need the first site after the last redirect, or the original site if there were no redirects.
> As a user, I think of a third-party cookie as any cookie whose domain doesn't > match the URL currently being shown in the URL bar of the window. If that equates to the criteria that I just stated, that's fine. If not, this request would be for a change in semantics over what 4.x (and current 6.x) and I would recommend agains making any such change at this late date. We would have no idea as to what sites will be broken as a result of making such a change.
Status: NEW → ASSIGNED
steve what you need to do is to get the URI thru the default channel of the loadgroup (which is always the parent page) So in your example of a page C with an image on D. - From the channel on D get the loadgroup - From that loadgroup get the default channel (which will be for C) - From that channel get the URI (getOriginalURI if you need the one that it was initiated with and getURI if you need the one it resolved to after redirects)
morse: it sounds like what you need is to be able to get the URL for "the final" toplevel document always. is that right? unfortunately, i'm not sure there is a way to always do that given a nsIHttpChannel. you can check to see if the http channel is the toplevel page by checking for the LOAD_DOCUMENT_URI load flag on the channel (see nsIRequest::GetLoadFlags), and you can get the nsILoadGroup associated with the channel, but there is no requirement that a channel have a load group (and imagelib doesn't associate a load group with the http channels it creates). so, i'm sort of at an end here... i'm not sure what to do.
gagan: that won't always work because imagelib doesn't associate load groups w/ the http channels it creates.
doh! You are right about the images case darin. Your suggestion would help in knowing whether the image/channel is top level or not but I think morse still needs a way to get to the top level document (uri really). I think this can be safely solved if imagelib sets the toplevel document's URI on to the dummy-load group that it creates (or read alternatively as-- set the default load channel to be the same as the original loadgroup's) That way my suggestion would still work. Pav do you think this might affect your stuff? What is the default channel in imagelib's dummy load group?
The logic sounds right as described by morse@netscape.com, but frames and iframes (see bug 67447) also need to be handled somehow. I personally don't think iframes should be able to set cookies, but it doesn't make a big difference to me and I don't have an opinion at all on frames. Also other forms of non-page, non-image content like stylesheets and external .js
as far as these other elements are concerned, let's just make sure we are compatible with nav4x and IE.
We are not compatible with nav 4. 1. I set my prefs to no-third-party cookies, and warn before accepting cookies. 2. I go to my test site http://people.netscape.com/morse/bug.htm nav 4 results: no warning, no cookie is set nav 6 results: warning appears I don't see any way to block 3rd-party cookies in my version (5.50) of IE so I don't know if we are compatible with them or not.
Based on the comments from darin above, it appears that I can't solve the problem unless networking gives me an API that returns the URL for "the final" toplevel document always. I've already tried assigning this to networking but it was bounced back to me. If it remains my bug, I'll have to close it out as wont-fix, which would be unfotunate because we are then no longer compatible with our previous browsers. darin, please let me know if I should do that or if you will accept the assignment of this bug.
Depends on: 87731
morse: sorry to burst your bubble but the bug is still yours... you are only blocked on doing this till bug 87388 gets resolved. In the meantime you could go ahead and implement my suggestion-- that will take care of most of the cases for you. When bug 87388 is fixed this will work correctly for all the remaining imagelib cases as well.
gagan, sorry to burst *your* bubble, but what you suggested I do is exactly what the present state of affairs are. Namely - From the channel on D get the loadgroup - From that loadgroup get the default channel (which will be for C) - From that channel get the URI (getOriginalURI if you need the one that it was initiated with and getURI if you need the one it resolved to after redirects) The code that is currently in nsCookieHTTPNotify.cpp is shown below. It does exactly what you just described. So there is nothing left to be done here on the cookie side. So the only things I can do now are either close this bug out as wont-fix or reassign this bug to to the networking group to finish up on. --------------- // Get the original url that the user either typed in or clicked on nsCOMPtr<nsILoadGroup> pLoadGroup; rv = aHttpChannel->GetLoadGroup(getter_AddRefs(pLoadGroup)); if (NS_FAILED(rv)) return rv; nsCOMPtr<nsIChannel> pChannel; if (pLoadGroup) { nsCOMPtr<nsIRequest> pRequest; rv = pLoadGroup->GetDefaultLoadRequest(getter_AddRefs(pRequest)); if (NS_FAILED(rv)) return rv; pChannel = do_QueryInterface(pRequest); } nsCOMPtr<nsIURI> pFirstURL; if (pChannel) { rv = pChannel->GetURI(getter_AddRefs(pFirstURL)); } else { rv = aHttpChannel->GetURI(getter_AddRefs(pFirstURL)); } if (NS_FAILED(rv)) return rv;
morse: gagan meant to say that this bug is blocked on bug 87731, which belongs to pavlov. perhaps this should be a dupe of that bug instead??
That sounds like a good solution. Because once bug 87731 is fixed, there should be nothing further to do here. *** This bug has been marked as a duplicate of 87731 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → DUPLICATE
QA Contact: benc → tever
*** Bug 102092 has been marked as a duplicate of this bug. ***
This problem still exists, reopening. Fixing bug 87731 might magically make this start working again, but we really can't be sure it's not masking other bugs until it's cleared. QA verifying bug 87731 wouldn't necessarily think to re-check 3rd party cookies. Plus with this closed you're just going to gather duplicates from folks who search for cookie bugs before filing but for some reason don't think to read all imagelib bugs.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Marking as 9.6 but that will slip if bug 87731 slips.
Status: REOPENED → ASSIGNED
Target Milestone: mozilla0.9.3 → mozilla0.9.6
sounds too risky for the benefit at this point. nsbranch-
Keywords: nsbranchnsbranch-
There's no way to just grab the URI in the location bar? All you need is the domain from that. It's updated for redirects too. If you can't access that, whatever C++ code is setting that, have it set something the cookie code can access too. When a script sets a cookie, we're going to need to check it too, to see if the script is local.
Blocks: 107067
Keywords: nsbranch-
Bug 87388 was marked "won't fix"--does Mozilla intend to drop support for third-party cookie blocking?
If bug 87388 is not fixed, there is no way for the cookie module to be able to determine if a cookie is a third-party cookie or not.
Worse yet, all the p3p code that was just added depends on our being able to determine if the cookie is from a third party. So all that code will not work correctly. cc'ing harishd and barrowma for the p3p implications of this.
You mean bug 87731 was marked WONTFIX, and note that "Mozilla" has no intentions whatsoever. Some developers value this feature, and certain others--who broke it in the first place--obviously don't value it if it costs them any work. Never mind that security and privacy is one of the few compelling benefits of Mozilla over IE that end-users (e.g. my Mom) can understand.
Keywords: 4xp, regression
calling this critical.
Severity: normal → critical
This bug used to be blocked by 87731. If bug 87731 is not going to be fixed, there needs to be some other way for the cookie module to determine third-party cookies. So I just opened bug 107579 for that ability. Bug 107579 is now blocking this bug. As mentioned above, this bug will slip from 9.6 if bug 87731 slips from 9.6. Since that just happened, changing the target milestone of this bug to 9.8, but it will slip out further depending on what target milestone is assigned to bug 107579.
Depends on: 107579
Really setting target milestone to 0.9.8 this time. (I thought I did it yesterday but apparently I didn't.)
Target Milestone: mozilla0.9.6 → mozilla0.9.8
Blocks: 112941
fixing spello in summary for search friendliness
Summary: third-party cookie blocking doesn't work → third party cookie blocking doesn't work
Depends on: 67447
So you changed "third-party cookie" to "third party cookie" claiming it was a spelling error otherwise. Turns out it was correct the original way because it avoids any possible mis-reading. But if it helps for searching, then I have no objections with leaving out the hyphen.
> claiming it was a spelling error otherwise According to "Merriam-Webster OnLine" and Wordnet, there is no hyphen. I changed a few other bugs so now searching for "third party" in the summary as a substring should return them all. (the bigger problem were ones with stuff like "3rd party") Of course, this *is* from a dictionarary that calls itself "OnLine", which doesn't instill a great deal of confidence in its definitions.
removing vestigial dependencies. This is blocked by bug 107579 alone.
No longer depends on: 67447, 87731
Blocker bug 107579 just got deferred to 0.9.9. So this bug must do the same.
Target Milestone: mozilla0.9.8 → mozilla0.9.9
*** Bug 121271 has been marked as a duplicate of this bug. ***
Making the summary more query friendly
Summary: third party cookie blocking doesn't work → third party cookie blocking doesn't work when "Enable cookies for the originating Web site only" is set
So you changed the title from third party cookie blocking doesn't work to third party cookie blocking doesn't work when "Enable cookies for the originating Web site only" is set Well if that makes you happy, then I'll leave it that way. But it makes me wonder as to when else we could possibly have third-party cookie blocking.
Keywords: nsbeta1
Note going to make it in 0.9.9. Moving out to 1.0
Target Milestone: mozilla0.9.9 → mozilla1.0
Posting a patch that correctly recognizes third-party cookies. This patch requires that the patch that I posted for bug 107579 be applied as well (it is not yet checked in). To test this out, apply both patches (the one here and the one in bug 107579), then run the tests at either of the following and note the printf output on the consule http://warp/u/morse/cookies/ -- inside netscape firewall http://people.netscape.com/morse/cookies/ -- outside firewall The reason I am giving an address inside the firewall is that there is currently an error in the external version and the correction that I posted for it won't be visible outside the firewall until tomorrow.
I forgot to mention that before running the test, you need to change DEBUG_morse to just DEBUG in nscookies.cpp.
Comment on attachment 70505 [details] [diff] [review] properly detects third party cookies in all cases r=dveditz
Attachment #70505 - Flags: review+
Oops,I forgot about the http request. The previous patch was for the 3rd-party test on the http response only. Attaching a new patch that does the same sort of thing for the request as well.
Attachment #70505 - Attachment is obsolete: true
*** Bug 67447 has been marked as a duplicate of this bug. ***
Comment on attachment 70771 [details] [diff] [review] same patch extended to handle http request as well as response >Index: nsCookies.cpp >+ char* firstSpec = nsnull; >+ rv = pFirstURL->GetSpec(&firstSpec); >+ PR_FREEIF(firstSpec); how about using nsXPIDLCString instead? nsXPIDLCString firstSpec; rv = pFirstURL->GetSpec(getter_Copies(firstSpec)); otherwise, sr=darin
Attachment #70771 - Flags: superreview+
Darin, I originally tried to use an nsXPIDLCString for firstSpec. Problem is that firstSpec is then passed as an argument to COOKIE_SetCookieStringFromHttp and that routine has it declared as a char* rather than a const char*. Yes, it really should be changed to const char*, but then there are other ripple effects of the change that will permeate throughout the module. So what started out as a simple change to this file will result in a substantial rewrite of the file with the risk of introducing regressions.
oh right... i forgot about that. i hit the same problem while working on some upcoming nsIURI changes for bug 124042 :( we really should fix the const'ness of those methods at some point.
nsbeta1+
Keywords: nsbeta1nsbeta1+
Comment on attachment 70771 [details] [diff] [review] same patch extended to handle http request as well as response r=dveditz
Attachment #70771 - Flags: review+
Comment on attachment 70771 [details] [diff] [review] same patch extended to handle http request as well as response a=asa (on behalf of drivers) for checkin to 0.9.9 and the mozilla trunk
Attachment #70771 - Flags: approval+
>>+ char* firstSpec = nsnull; >>+ rv = pFirstURL->GetSpec(&firstSpec); >>+ PR_FREEIF(firstSpec); >> >>how about using nsXPIDLCString instead? > >... Problem is that firstSpec is then passed as an argument to >COOKIE_SetCookieStringFromHttp and that routine has it declared as a char* >rather than a const char*. So use nsXPIDLCString firstSpec; as Darin suggested, then pass NS_CONST_CAST(char *, firstSpec.get()) to the routines that should be constipated, but aren't yet. Also, in the "not that we care for 1.0, but why make things worse for later, when we'll have even more places to clean up", don't use PR_FREEIF -- use nsMemory::Free if you can't use nsXPIDLCString. But use nsXPIDLCString with const_cast'ed .get()s, because automatic storage management wins every time, and cleaning up the const_casts entails surveying exactly the COOKIE_* APIs that need to be constipated, and not rewriting a bunch of manual-allocation code yet again. I think this should be done now, not later -- morse, are you game? If you run into some roadblock, give a shout here, I'll read my cc-list bugmail. /be
Attachment #70771 - Attachment is obsolete: true
Comment on attachment 72197 [details] [diff] [review] Same patch but with nsXPIDLCString per Brendan's request Cool, thanks -- all review and approval marks should carry forward if it compiles and runs as before. /be
Attachment #72197 - Flags: superreview+
Attachment #72197 - Flags: review+
Attachment #72197 - Flags: approval+
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Tested with branch 2002030414, with both cookies and images set to 'only from originating server'. Went to cnn.com. toolbar images from toolbar.netscape.com are loaded, as well as an ad from ar.atwola.com. Headline image from i.cnn.net corrently NOT loaded. Went to msn.com. No problems. Went to time.com. Cookie for .pathfinder.com ACCEPTED. Same wrong images as cnn.com accepted. (I believe you duped the 3rd paty image bugs here too)
That's not a valid test. Did you look at the traffic to see how those cookies got set? There are many known ways for a third-party site to look like a first-party site so that they can set cookies. We are not trying to stop that (there is no way that we can). What this bug is trying to do is to duplicate the behavior of 4.x so that overt third-party cookies won't get set. As an example of what I'm referring to, sites have learned that they can get around the third-party restriction by doing a redirect to the ad server, passing in their own URL in the query string. The ad server is now a first-party site (that's what redirect means), it sets a cookie, and then it redirects back to the site whose URL is in the query string it received.
wget time.com shows no redirect to pathfinder.com for the main page. It does one redirect, to another page on time.com. I don't see why a redirect on an images would be able to get around this. % wget time.com HTTP request sent, awaiting response... 302 Moved Temporarily Location: http://www.time.com/ [following] HTTP request sent, awaiting response... 302 Moved Temporarily Location: http://www.time.com/time/ [following] HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] What about the image issues, there shouldn't be any such backdoor WRT third party image loading. Is that supposed to be fixed with the new capabilities from 107579 yet?
verified - win NT4, linux rh6, mac osX
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: