Closed Bug 290456 Opened 19 years ago Closed 13 years ago

Clear plugin data in "clear private data"/"forget about this site"

Categories

(Firefox :: Private Browsing, enhancement)

Product:
Firefox
Component:
Private Browsing
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: philip.chee, Assigned: dwitte)

References

(
URL
)

Details

(Keywords: privacy, Whiteboard: [sg:want]) 

User-Agent:       Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8a6) Gecko/20050111 MultiZilla/1.8.0.0a Mnenhy/0.7.2.0
Build Identifier: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8a6) Gecko/20050111 MultiZilla/1.8.0.0a Mnenhy/0.7.2.0

Flash "cookies" or "persistent identification elements" aka PIE are actually
Flash MX shared local objects.  To quote the article:

"When a consumer goes to a PIE-enabled website, the visitor's browser is tagged
with a Flash object that contains a unique identification similar to the text
found in a traditional cookie. In this way, PIE acts as a cookie backup, and can
also restore the original cookie when the consumer revisits the site."

Please consider blocking these kinds of "cookies" too.

I'm sure that there must be a duplicate bugzilla bug in here somewhere but I
can't find it.

Reproducible: Always

Steps to Reproduce:
Update: there is an extension for Firefox that does this:
<http://www.yardley.ca/objection/>

"What is 'objection'?

objection is an extension for Firefox that adds deletion of Local Shared Objects
to the Option > Privacy panel."

It would be nice for this feature to be integrated into firefox.
that page made it clear that this is handled entirely in the plugin. thus, it is
completely out of the scope of the networking library. -> ffox frontend

(Hm... comment 0 says you are using mozilla, not firefox?)
Assignee: darin → firefox
Component: Networking: Cookies → General
Product: Core → Firefox
QA Contact: networking.cookies → general
Summary: [Enh] Block Flash MX "cookies" as well → Block Flash MX "cookies" as well
 Christian Biesinger (:bi) wrote:

> (Hm... comment 0 says you are using mozilla, not firefox?)

I'm from the Flashblock team so I use both for testing. I opened this bug
because someone in the flashblock mailing list asked us to block flash cookies
as well.  I thought that this was more appropriate as part of firefox/seamonkey
instead of an extension - then several minutes later I find the "objection"
extension while looking for something else.

Grrr.  The author of objection totally replaces PrivacyPanel.clearAll() instead
of handing off to the original after processing the LSOs.
*** Bug 298825 has been marked as a duplicate of this bug. ***
I don't see a dupe of this bug, marking as new.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: bross2 → nobody
Summary: Block Flash MX "cookies" as well → Block/clear Flash MX "cookies" as well
Flags: blocking-firefox3?
Whiteboard: [sg:want]
Keywords: privacy
There is no patch. And even if there were, it would have i18n impact. I think it's too late in this cycle to block.
Updated link to the Objection extension (Delete Flash Local Shared Objects):
http://objection.mozdev.org/
Not blocking, far too late for changes of this type.
Flags: blocking-firefox3? → blocking-firefox3-
Surely there are other plugins that store private data. Shouldn't we simply have a "Plug-in data" checkbox in the Clear Private Data... window? Why clear just cookies and leave other private data on disk?
Is there a universal "clear plugin private data" API or does each plugin do things differently? If the latter I don't see how it would be practical to build in awareness of any and all plugin data handling not just for currently existing plugins but for any hypothetical future plugins from some obscure developer in Upper Moldavia. 
There doesn't have to be a consistent API for Firefox to do its best for the common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.
(In reply to comment 15)
> There doesn't have to be a consistent API for Firefox to do its best for the
> common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.

In that case I suggest that having a "Plug-in data" checkbox in the Clear Private Data dialog would give a wrong impression, not to mention a false sense of security to the average mom'n'pop user who doesn't realise that this only clears data from popular plugins. Unless of course you change it to a "Some Plug-in data" checkbox.
Philip, no more misleading than our current "clear cookies" or "clear offline website data" (and probably others) neither of which are cleared in certain plugin cases.  You're making perfect the enemy of good here.  We can probably never get everything and we can't be 100% accurate in our labeling without making the dialog unusable. 
> You're making perfect the enemy of good here.

Asa, normally I'd agree with you (i.e get something working first, worry about perfection later), but one of our "selling points" is that Firefox does security better than that other browser so I want to be more cautious when it comes to this type of issue. But I'll defer to the security and UI people who know more about these sort of things.
Component: General → Private Browsing
QA Contact: general → private.browsing
Hi just wanted to let y'all know, the objection plugin is not compatible with 3.5. Thus the workaround no longer works.
https://addons.mozilla.org/en-US/firefox/addon/6623

BetterPrivacy 1.29
Works with Firefox: 2.0 – 3.6a1pre
Blocks: 508068
Hi,

we (Adobe) are planning on supporting private browsing in Firefox and other browsers in a forthcoming Flash Player release.

additionally, we would welcome an NPAPI addition that would be called when a user wants to clear their private data. this is in our future plans also, but would likely happen a lot faster if this was implemented by Mozilla, rather than us having to write the patch for it ourselves.
also PLEASE do not try to clear LSO's in the browser code - imo this is something that should be handled by plugins themselves via an NPAPI addition.
Ian

Does Adobe have somewhere where interested people can contribute to discussion on the implementation? There are some, in my opinion, very complex issues that Adobe will have to overcome.

I have been looking at implementing Private Browsing mode support into Objection and the only solutions I came up with could create big problems for the user.
Depends on: 508167
Linux users or extension developers may wish to know that the popular swfdec plugin stores site information in the file ~/.config/swfdec-mozilla (or similar).
Ian -

With Private Browsing, it looks like Adobe has decided to ask the browser if it is in Private Browsing and choose its mode based on that, correct?

Also, I don't see anything in https://bugs.adobe.com for allowing the browser to tell Flash what to clear.

All -

If this bug was specifically for Firefox Private Browsing, then I'd say it is resolved and a separate bug is needed for regular browsing.
Chrome now allows the user to clear Flash cookies. Their idea might be worth checking out: http://www.imasuper.com/640/technology/chrome-adds-links-to-clear-adobe-cookies/

Their solution is not complete, but at least a first step towards some control.
Flags: blocking1.9.0.19?
Flags: blocking1.9.0.19?
Blocks: 565561
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Component: Private Browsing → Security
QA Contact: private.browsing → firefox
> obsolete.fax@gmail.com changed:
>
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>          Component|Private Browsing            |Security
>          QAContact|private.browsing@firefox.bu |firefox@security.bugs
>                   |gs                          |

Please don't randomly change component and flags if you don't know what you are doing.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
Component: Security → Private Browsing
QA Contact: firefox → private.browsing
(In reply to comment #29)
> > obsolete.fax@gmail.com changed:
> >
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >          Component|Private Browsing            |Security
> >          QAContact|private.browsing@firefox.bu |firefox@security.bugs
> >                   |gs                          |
> 
> Please don't randomly change component and flags if you don't know what you are
> doing.

I changed component from (In reply to comment #29)
> > obsolete.fax@gmail.com changed:
> >
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >          Component|Private Browsing            |Security
> >          QAContact|private.browsing@firefox.bu |firefox@security.bugs
> >                   |gs                          |
> 
> Please don't randomly change component and flags if you don't know what you are
> doing.

I changed component from Private Browsing to Security because there is no Private Browsing component in 3.0.19. I changed to Security, as then websites can see what Flash cookies are there (what websites you have visited.)
mconnor has already minused blocking-firefox3-. Don't renominate bugs for a branch that have already been denied by drivers.

This is a privacy issue not a security issue. Please don't confuse the two concepts.

There are no patches here. Nobody is working on this bug - See the Assigned to field. It is useless nominating bugs such as this without a clear plan, without clear goals, without any working patches. If you want to discuss this issue please do it in the mozilla forums e.g. newsgroup mozilla.dev.apps.firefox rf the associated mailing list.
Presumably this missed 4 but I see no way to nominate for 4.next so giving blocking2.0? a shot.  (btw, implemented in Chrome here http://codereview.chromium.org/5579002/ )
blocking2.0: --- → ?
Looks like they did it by making modifications to the version of Flash that they ship, which we can't really do at the moment. We can't block 2.0 on this at this point.
blocking2.0: ? → -
The NPP_ClearSiteData API is being finalized right now, and given Adobe's interest they'll likely implement it fairly quickly. We should get started on the Firefox code to aid in their testing, with an eye to roll this out in a point release.
Changing summary to better describe what we're actually going to do here. (If we want a separate bug on clearing plugin data when you clear cookies, we should file one, but I don't have a strong opinion right now. I think this will be better solved with the new site preferences/history UI in the works.)
Assignee: nobody → dwitte
Summary: Block/clear Flash MX "cookies" as well → Clear plugin data in "clear private data"/"forget about this site"
Depends on: 618461
I suspect that this bug will become a meta, since it's about "plugin data" now and bug 618461 is just about Adobe Flash. That's probably OK. I'm going to open a new bug for the UI hookup for Flash.
For those interested:

Bug 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History When Firefox Closes > Settings... dialog

Bug 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History

Bug 625497 - Clear Adobe Flash Cookies (LSOs) when "Forget This Site" is selected
Fixed by bug 508167 and the above.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.