STR: 1. In a fresh Firefox profile, visit https://www.mozilla.org/en-US/firefox/accounts/ --> Notice you get page content that indicates you're not signed in. 2. Now sign in to Firefox (Sign in in Tools or Hamburger menu), or switch to your regular browsing profile where you are signed in, and visit https://www.mozilla.org/en-US/firefox/accounts/ again. --> Notice that you get page content that indicates you are signed in (literally "You're signed in to Firefox") 3. Now, open a private window (ctrl+shift+p) and visit https://www.mozilla.org/en-US/firefox/accounts/ again. ACTUAL RESULTS: Page content that knows that I'm signed in to Firefox. EXPECTED RESULTS: Since I'm in a brand-new private window, it's surprising that mozilla.org has information about my login state. NOTES: I've been told this differential-rendering of https://www.mozilla.org/en-US/firefox/accounts/ is actually using the UITours API, which is whitelisted to only a few Mozilla domains (and the API in question only reports *that you are signed in to the browser*, and nothing more). So it's unlikely that this is any actual risk / privacy leakage here. Nonetheless, this **gives the appearance** of a privacy bug. To a user, the "You're signed in" message here makes it seem like Firefox might be co-mingling cookies between the regular browsing session and the private browsing session. We should avoid giving that appearance to avoid needlessly startling users. One way of doing this might be to nerf any login-state-relevant pieces of this API in Private Browsing mode; not sure if that would break anything or if there are any better approaches to addressing this.
Bug 1752229 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
STR: 1. In a fresh Firefox profile, visit https://www.mozilla.org/en-US/firefox/accounts/ --> Notice you get page content that indicates you're not signed in. 2. Now sign in to Firefox (Sign in in Tools or Hamburger menu), or switch to your regular browsing profile where you are signed in, and visit https://www.mozilla.org/en-US/firefox/accounts/ again. --> Notice that you get page content that indicates you are signed in (literally "You're signed in to Firefox") 3. Now, open a private window (ctrl+shift+p) and visit https://www.mozilla.org/en-US/firefox/accounts/ again. ACTUAL RESULTS: Page content that knows that I'm signed in to Firefox. EXPECTED RESULTS: Since I'm in a brand-new private window, I would not expect mozilla.org to know any information about my login state. NOTES: I've been told this differential-rendering of https://www.mozilla.org/en-US/firefox/accounts/ is actually using the UITours API, which is whitelisted to only a few Mozilla domains (and the API in question only reports *that you are signed in to the browser*, and nothing more). So it's unlikely that this is any actual risk / privacy leakage here. Nonetheless, this **gives the appearance** of a privacy bug. To a user, the "You're signed in" message here makes it seem like Firefox might be co-mingling cookies between the regular browsing session and the private browsing session. We should avoid giving that appearance to avoid needlessly startling users. One way of doing this might be to nerf any login-state-relevant pieces of this API in Private Browsing mode; not sure if that would break anything or if there are any better approaches to addressing this.
STR: 1. In a fresh Firefox profile, visit https://www.mozilla.org/en-US/firefox/accounts/ --> Notice you get page content that indicates you're not signed in. 2. Now sign in to Firefox (Sign in in Tools or Hamburger menu), or switch to your regular browsing profile where you are signed in, and visit https://www.mozilla.org/en-US/firefox/accounts/ again. --> Notice that you get page content that indicates you are signed in (literally "You're signed in to Firefox") 3. Now, open a private window (ctrl+shift+p) and visit https://www.mozilla.org/en-US/firefox/accounts/ again. ACTUAL RESULTS: Page content that knows that I'm signed in to Firefox. EXPECTED RESULTS: Since I'm in a brand-new private window, I would not expect any websites (including mozilla.org) to know any information about me being signed in to anything. NOTES: I've been told this differential-rendering of https://www.mozilla.org/en-US/firefox/accounts/ is actually using the UITours API, which is whitelisted to only a few Mozilla domains (and the API in question only reports *that you are signed in to the browser*, and nothing more). So it's unlikely that this is any actual risk / privacy leakage here. Nonetheless, this **gives the appearance** of a privacy bug. To a user, the "You're signed in" message here makes it seem like Firefox might be co-mingling cookies between the regular browsing session and the private browsing session. We should avoid giving that appearance to avoid needlessly startling users. One way of doing this might be to nerf any login-state-relevant pieces of this API in Private Browsing mode; not sure if that would break anything or if there are any better approaches to addressing this.