Closed Bug 1510860 Opened 6 years ago Closed 5 years ago

Create an exception to content blocking on a page results in erratic blocking behaviour.

Categories

(Firefox :: Protections UI, defect)

Product:
Firefox
Component:
Protections UI
Version:
65 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 + fixed
firefox66 + fixed

People

(Reporter: ewright, Assigned: ehsan.akhgari)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Attachments

(2 files)

all-cookies-blocked-after-exception.png
100.46 KB, image/png
Details
Bug 1510860 - Ensure that the cookie service checks the content blocking allow list even for first-party cookies since that's required when we're blocking all cookies;
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review 
STR:
- apply this patch: https://phabricator.services.mozilla.com/D12596
(in order to illustrate the behavior - the behavior is not caused by this patch)

- turn on blocking for "all cookies"
- navigate to a website with cookies like "https://www.ebay.de/"
- add an exception for this site - click "turn off blocking for this site" button in the control panel
- click the arrow next to the cookies section

ER: No cookies should be blocked
AR: cookies "from this site" are being blocked and "tracking cookies" are being allowed through.

this is the result of running await gBrowser.selectedBrowser.getContentBlockingLog():

"{
 \"https://rover.ebay.de\": [[32768, true, 1], [1073741824, true, 1]],
 \"https://pulsar.ebay.de\": [[32768, true, 1], [1073741824, true, 1]],
 \"https://ir.ebaystatic.com\": [[8192, true, 1]],
 \"https://i.ebayimg.com\": [[8192, true, 1]],
 \"https://ocsrest.ebay.de\": [[32768, true, 1], [1073741824, true, 1]],
 \"https://www.ebay.com\": [[8192, true, 1]],
 \"https://signin.ebay.de\": [[32768, true, 1], [1073741824, true, 1]],
 \"https://velocity-files-origin.ebay.com\": [[8192, true, 1]],
 \"https://gha.ebay.de\": [[32768, true, 1], [1073741824, true, 1]],
 \"https://rover.ebay.com\": [[8192, true, 1], [32768, true, 1]],
 \"https://src.ebay-us.com\": [[8192, true, 1]]
}
"

screenshot attached.

This seems to only reliably reproduce with the setting blocking "all cookies".
src.ebay-us.com only has STATE_LOADED_TRACKING_CONTENT.  Why is it marked as blocked then?!
Flags: needinfo?(jhofmann)
This may be fixed by bug 1515343.
Depends on: 1515343
(In reply to :Ehsan Akhgari from comment #2)
> This may be fixed by bug 1515343.

No, it seems unrelated.
No longer depends on: 1515343
This is a regression from bug 1502240 where we made content blocking allow list apply to all cookie policies.

The problem is that these checks in the cookie service are still happening based on isForeign: <https://searchfox.org/mozilla-central/rev/2e5e28f518524f8af5b158ddb605022b6a2d68cf/netwerk/cookie/nsCookieService.cpp#2001>, which means that we will not be performing the checks for first-party cookies.  This is important since it means that in the case where our cookieBehavior pref tells us to block all cookies, we will not be checking the content blocking allow list to see if we need to exempt a given cookie or not, and we indiscriminately block the cookie, which is the behaviour that is observed after turning off blocking for ebay.de on domains such as rover.ebay.de.
Assignee: nobody → ehsan
Blocks: 1502240
status-firefox66: --- → affected
tracking-firefox65: --- → ?
tracking-firefox66: --- → ?
Flags: needinfo?(jhofmann)
Keywords: regression
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3a328e80b02c
Ensure that the cookie service checks the content blocking allow list even for first-party cookies since that's required when we're blocking all cookies; r=baku
Backout by ebalazs@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/232000a83412
Backed out changeset 3a328e80b02c for failures e.g.: dom/tests/mochitest/general/test_storagePermissionsLimitForeign.html CLOSED TREE
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e94a166a769c
Ensure that the cookie service checks the content blocking allow list even for first-party cookies since that's required when we're blocking all cookies; r=baku
https://hg.mozilla.org/mozilla-central/rev/e94a166a769c
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
Flags: needinfo?(ehsan)
Comment on attachment 9032717 [details]
Bug 1510860 - Ensure that the cookie service checks the content blocking allow list even for first-party cookies since that's required when we're blocking all cookies;

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1502240

User impact if declined: See comment 0.  This will most definitely impact other sites too.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Quite low risk.  We were forgetting to do some access checks in the case of first-party checks, but we already perform them in the case of third-party checks, so there isn't really a stability risk associated with running the same code in other cases too, and this code is rigorously tested in automated tests, so I'm not nervous about introducing regressions either.

String changes made/needed: None
Attachment #9032717 - Flags: approval-mozilla-beta?
Comment on attachment 9032717 [details]
Bug 1510860 - Ensure that the cookie service checks the content blocking allow list even for first-party cookies since that's required when we're blocking all cookies;

[Triage Comment]
Fixes unexpected cookie blocking under some circumstances. Thanks for including tests with this. Approved for 65.0b7.
Attachment #9032717 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Does this need manual qa? If yes can you please provide steps to install phabricator patch on Firefox, so that I can verify the fix on latest Beta and Nightly. 

I tried duplicating this issue with comment 0 with strict content blocking option, added exception for "https://www.ebay.de/" by  clicking "turn off blocking for this site" button in the control panel
Version 	65.0a1
Build ID 	20181127100134

I see it's allowing cookies for "https://www.ebay.de/" but don't see the breakdown of tracking cookies.
Flags: needinfo?(ewright)
Flags: needinfo?(ehsan)
No, this doesn't need manual QA.  Only bugs marked in our "Privacy Tracking" spreadsheet marked as "QA NEEDED" require manual testing.
Flags: needinfo?(ewright)
Flags: needinfo?(ehsan)
Based on comment 15 I am removing the qe-verify+ flag. Thanks!
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: