Closed Bug 1488785 Opened Last year Closed Last year

The storage access permission doesn't honour private browsing

Categories

(Firefox :: Protections UI, defect, P1)

defect

Tracking

()

VERIFIED FIXED
Firefox 64
Tracking Status
firefox62 --- unaffected
firefox63 + verified
firefox64 + verified

People

(Reporter: ehsan, Assigned: ehsan)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

STR:

1. In a new profile, set network.cookie.cookieBehavior to 4.
2. Open a private window.
3. Go to https://de.ign.com/marvels-the-avengers-infinity-war-part-1/130638/news/thanos-sollte-in-avengers-infinity-war-ursprunglich-durch-ei.
4. Click on the Facebook like button.  A Facebook login window opens.  Click somewhere on that window.
5. Close Firefox, go to the console and run the following commands:

  $ sqlite3 path/to/firefox/permissions.sqlite
  > select * from moz_perms;
  1|https://de.ign.com|3rdPartyStorage^https://www.facebook.com|1|2|1538751487216|1536159487216

The permissions database shouldn't contain an entry revealing the domains visited in private mode.
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Priority: -- → P1
Comment on attachment 9006600 [details]
Bug 1488785 - Part 1: Don't save persistent storage access permissions for private browsing contexts; r=baku

Approval Request Comment
[Feature/Bug causing the regression]: Not a regression, private browsing violation in a new feature
[User impact if declined]: private browsing violation, quite serious.  Note that the feature isn't enabled by default, but is going to undergo a shield study in 63 beta.
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Not yet.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: Not really.
[Why is the change risky/not risky?]: Because it's simple, localized, and the code in question is preffed off by default.
[String changes made/needed]: None.
Attachment #9006600 - Flags: approval-mozilla-beta?
Comment on attachment 9006600 [details]
Bug 1488785 - Part 1: Don't save persistent storage access permissions for private browsing contexts; r=baku

Andrea Marchesini [:baku] has approved the revision.
Attachment #9006600 - Flags: review+
Comment on attachment 9006601 [details]
Bug 1488785 - Part 2: Add support for running tests in private windows to the antitracking mini-testsuite; r=baku

Andrea Marchesini [:baku] has approved the revision.
Attachment #9006601 - Flags: review+
Comment on attachment 9006602 [details]
Bug 1488785 - Part 3: Add a test to ensure that setting a storage access permission in a private window won't leave a persistent trace in the permission manager; r=baku

Andrea Marchesini [:baku] has approved the revision.
Attachment #9006602 - Flags: review+
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5cf5331348ef
Part 1: Don't save persistent storage access permissions for private browsing contexts; r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/5ba2811bacfd
Part 2: Add support for running tests in private windows to the antitracking mini-testsuite; r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/8ae26799f5fd
Part 3: Add a test to ensure that setting a storage access permission in a private window won't leave a persistent trace in the permission manager; r=baku
Comment on attachment 9006600 [details]
Bug 1488785 - Part 1: Don't save persistent storage access permissions for private browsing contexts; r=baku

Approved for 63 beta 4
Attachment #9006600 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0
Build ID: 20180907100116

Verified as fixed on the latest Nightly build (64.0a1) and on the latest Beta build (63b4).
Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.