Closed
Bug 1309800
Opened 8 years ago
Closed 8 years ago
The firstPartyDomain should be blogger.com, not google.com (Enter "blogger.com" in Url bar)
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: cynthiatang, Assigned: jhao)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor][domsecurity-active][dfpi-ok])
Attachments
(1 file)
1016.99 KB,
image/png
|
Details |
This issue can be reproduced in Non-e10s and e10s Default search engine: Google Step: 1. Clear all History and Cookies 1. Launch Firefox browser 2. Go to blogger.com 3. Click on the Add-ons “Cookies Manager +” to view the originAttributes Actual result: - Video: https://youtu.be/V9fVhmt56Dw - There are 3 cookies. 1. Domains: accounts.google.com firstPartyDomain: google.com 2. Domains: .blogger.com firstPartyDomain: blogger.com 3. Domains: .blogger.com firstPartyDomain: blogger.com Expected result: - The firstPartyDomain should be "blogger.com", not "accounts.google.com" Firefox version: 52.0a1 (2016-10-11) (64-bit)
Comment 1•8 years ago
|
||
Kamil, please help to investigate this bug, thanks!
Flags: needinfo?(kjozwiak)
Priority: -- → P1
Updated•8 years ago
|
Priority: P1 → P3
Comment 2•8 years ago
|
||
This could be correct behavior since it's a top level redirect. Logically in this case (A->B->A) you could argue it's all in the context of A; other redirect cases would be more problematic such as search result links that redirect through the search provider before landing on the final target. Certainly don't want all my search results to live in the bucket of the search provider. The browser can't tell we're in an "auth loop" when it gets the first redirect. We could (or Tor could) whitelist a bunch of known auth providers like google and facebook and maybe that would be good enough for them?
Updated•8 years ago
|
Updated•8 years ago
|
Assignee: nobody → jhao
Assignee | ||
Comment 3•8 years ago
|
||
We can clearly see in dev tools that this page has been redirected to account.google.com and back again.
Flags: needinfo?(kjozwiak)
Assignee | ||
Comment 4•8 years ago
|
||
I agree with Dan that this is correct behavior.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Comment 5•8 years ago
|
||
(In reply to Jonathan Hao [:jhao] from comment #3) > Created attachment 8813553 [details] > Screen Shot.png > > We can clearly see in dev tools that this page has been redirected to > account.google.com and back again. Jonathan, thanks for confirming this!
Comment 6•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > This could be correct behavior since it's a top level redirect. Logically in > this case (A->B->A) you could argue it's all in the context of A; other > redirect cases would be more problematic such as search result links that > redirect through the search provider before landing on the final target. > Certainly don't want all my search results to live in the bucket of the > search provider. [...] On the other hand, all your search results are known to the search provider anyhow. Say you have search provider G, and Gr is another domain that redirects to the search result, R. (G -> Gr -> R.) I think assigning Gr the firstPartyDomain of G is probably OK. See also bug 1319839 comment 5. (Off-topic, but we could include a nonce in the OriginAttributes for use with things like search providers. So each time we connect to G with a new search, we get a new bucket: G[1], G[2], G[3]. The 302 at Gr would be assigned a new bucket each time as well.)
Updated•4 years ago
|
Whiteboard: [tor][domsecurity-active] → [tor][domsecurity-active][dfpi-ok]
You need to log in
before you can comment on or make changes to this bug.
Description
•