Closed Bug 1519881 Opened 5 years ago Closed 5 years ago

Geolocation Permissions are applied in private browsing sessions

Categories

(Firefox :: Private Browsing, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1422056

People

(Reporter: gcp, Unassigned)

Details

(Keywords: csectype-disclosure, privacy, sec-low, Whiteboard: [fingerprinting])

Attachments

(1 file)

Attached image notsoprivate.png
  1. Go to https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API#HTML_Content, "Live Result" example. Click "Show My Location", approve MDN domain.

  2. Open Private Browsing Window.

  3. Go to https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API#HTML_Content, "Live Result" example. Click "Show My Location".

Expected result:

  • Permission is re-requested.

Actual result:

  • Exact location is immediately shown even in private browsing mode.

As a practical example, the attached screen is what I get when I shop on Amazon in "private browsing mode".

the attached screen is what I get when I shop on Amazon in "private browsing mode".

For what it's worth, I first thought this was GeoIP in action, but all public GeoIP databases locate me in another city, which is what caused me to test on MDN.

Given that Google now puts maps behind google.com/maps instead of a top level domain, this means that for example using a VPN won't do anything to anonymize you to any Google service, if you've ever given Google Maps location permissions in a normal session.

The question is whether this is a one-off in the way Geolocation is asking, or a broader issue with the Permission Manager.

Flags: needinfo?(tanvi)
Whiteboard: [fingerprinting]

Johann says this is known (PermissionManager strips originAttributes) and he'll find the dupe bug later

Flags: needinfo?(tanvi) → needinfo?(jhofmann)

Yup, while it may not be an exact dupe it boils down to bug 1422056. I also remember duping previous bug reports about this but I don't know where those are now. I'll look around a bit more. I'll also try to get a little more movement into bug 1330467, which is the prerequisite for all this.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: