1240698 - Firefox automatically accepts third-party cookies when 1st party cookies are allowed

Status: RESOLVED INVALID

(Core :: Networking: Cookies, defect, P3)

Description

[msth67]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20151019161651

Steps to reproduce:

Disabled cookies in Preferences-->Privacy-->Accept cookies from sites, then enabled cookies again checking the same option.



Actual results:

Third-party cookies are also automatically accepted when checking the  Preferences-->Privacy-->Accept cookies from sites checkbox.



Expected results:

Firefox should not automatically accept third-party cookies when a user re-enables cookies after having disabled them.

In fact, I believe Firefox should not accept  third-party cookies *at all* by default (and I remember that was idea of the Cookie Clearinghouse), but even more so after someone disables cookies and then enables them again: you usually do that to be able to login into websites, and third-party cookies are 99% of the time not needed for that.

As a matter of fact, they are purely tracking cookies and there's no reason  to allow them by default neither to automatically link them to the general "Accept cookies from sites" switch.

If a website really needs third-party cookies in order to function properly, it should be up to them to issue a warning: it should not be Firefox's responsibility to allow third-party cookies by default when 1st party cookies are allowed.

Comment 1

[Robin]

Attachment: Privcy_cookies_default.ogv

This is a video showing the action that occurs. This is a major privacy issue.

Comment 2

[Robin]

I was going to report this bug as well.

With the removal of "Ask me every time", https://bugzilla.mozilla.org/show_bug.cgi?id=606655 this is an even bigger problem than before.  It now creates a big privacy hole for many people.

I agree with the originator that the default should be to block third party cookies.  If "Ask me every times" was still in Firefox, this wouldn't be as big of an issue as third party cookies would be asked for each time in many peoples cases.

Comment 3

[Amit Kumar Jaiswal]

That's something different really, I wouldn't want people overloading it, but it might work as a short-term fix measure. I think it happens due to UI update of firefox from a previous version, not for new designs.

Comment 4

[Mitch L]

Had a look at this, it seems both the "Accept cookies from sites" checkbox and the "Accept third-party cookies" menulist in Privacy settings are both bound to "network.cookie.cookieBehavior" so when you disable all cookies with the checkbox, any options you previously had entered in the menulist are lost.

Comment 5

[Robin]

As Firefox promotes (at least to many) privacy features, this is a major issue towards privacy.

Needs to be fixed to ensure privacy.

Comment 6

[Amy Chung [:Amy]]

I found this behavior of bug is normal---the "network.cookie.cookieBehavior" should changes to Never when user cancel the selection "Accept cookies from sites".
Because Necko would be to read the value from "network.cookie.cookieBehavior" to decide to save cookie in DB or not.
If users want to get the "network.cookie.cookieBehavior" that they selected when the selection be enabled,
the behavior of above has to modify on privacy.js and needs to front-end helping to fix this bug.

Comment 7

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 8

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 9

[Andrea Marchesini [:baku]]

Recently we have introduced a new cookiebehavior (4) to block 3rd party trackers. We are also working on cookieBehavior 5 where we partition the cookie jar of 3rd party contexts. Both features are part of the anti-tracking project. I'm going to mark this bug as invalid, but feel free to contact me directly or file a new bug on the anti-tracking component if you think that what we are going is not enough. Thanks.