Closed Bug 1517389 Opened 5 years ago Closed 5 years ago

The Content Blocking UI does not reflect that cookie header is blocked in request to tracking resource

Categories

(Firefox :: Protections UI, defect)

Product:
Firefox
Component:
Protections UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 66
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: englehardt, Assigned: ehsan.akhgari)

References

(Blocks 1 open bug)

Details

(Whiteboard: [privacy65][triage])

Attachments

(1 file)

Bug 1517389 - Ensure that we emit content blocking events when setting cookie headers and reading cookies from the cookies database;
47 bytes, text/x-phabricator-request
Details | Review 
STR:

1. On a fresh profile, go to https://senglehardt.com/test/recaptcha/checkbox_and_login.html and disable content blocking. This will allow Google to set some tracking cookies on the www.google.com domain.
2. Go to https://senglehardt.com/test/cookie_restrictions/www_google_script.html, open the network panel, and reload the page.
3. Verify that the www.google.com script request has tracking cookies sent in the request header.
4. Open the control center and enable content blocking for the site. 
5. When the site reloads, open the control center.

Expected:

In step 4 you should see that the site has blockable cookies for the www.google.com tracking resource.

In step 5 the shield icon should render and show the user that a third-party tracker from www.google.com was blocked in the Cookies subpanel

Actual:

In step 4 the control center says "Blockable content detected on this site", but only shows the Trackers section with an empty sub-panel.

In step 5 the shield is not rendered and the user doesn't have the option to disable protection. This is particularly bad because a user won't have the ability to disable protection if the blocked request cookies cause something to break.

Reproduced in Nightly 66.0a1 (20190102213721) and Beta 65.0b7 (20181227194012).


I suspect the cause here is that we aren't sending a notification when request headers are stripped. The google script in question does not return a SetCookie header, nor is it loaded in a tracking iframe (which would cause its JS storage access calls to be blocked).
Whiteboard: [privacy65][triage]

In step 4 the tracker subpanel is empty because we only receive a STATE_LOADED_TRACKING_CONTENT code for www.google.com which is only on the strict list not the basic list so we don't show it.

In step 5 we do have a real bug. When setting cookies, we notify for acceptance/rejection: https://searchfox.org/mozilla-central/rev/330daedbeac2bba296d663668e0e0cf248bc6823/netwerk/cookie/nsCookieService.cpp#2172

but when getting cookies, we do nothing: https://searchfox.org/mozilla-central/rev/330daedbeac2bba296d663668e0e0cf248bc6823/netwerk/cookie/nsCookieService.cpp#3065

Assignee: nobody → ehsan
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec6834457f75
Ensure that we emit content blocking events when setting cookie headers and reading cookies from the cookies database; r=baku

https://hg.mozilla.org/mozilla-central/rev/ec6834457f75

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: