Open Bug 1535606 Opened 5 years ago Updated 2 years ago

HTTP authentication cache cannot be cleared through the browsingData API

Categories

(WebExtensions :: Compatibility, enhancement, P3)

Product:
WebExtensions
Component:
Compatibility
Version:
64 Branch
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

Details

From https://armin.dev/blog/2019/03/firefox-extensions-browsing-data-security/

Certain extensions make it possible to forget cookies and authentication data when users navigate away from a page or close a tab.

browser.browsingData.removeCookies({hostnames: ['example.com']})

There is no dedicated interface for clearing the HTTP authentication cache in any of the major browsers, though Chrome respects user intent by clearing this cache when cookies or passwords are deleted.

Firefox does not clear the HTTP authentication cache when the browsingData.removeCookies() or browsingData.removePasswords() function is called, allowing sites to track previously logged in users until the browser is closed.

This could be fixed by calling Sanitizer.items.sessions.clear() (which in turn triggers a "net:clear-active-logins" notification, among other things) at the clearPasswords handler.

If we switch to nsIClearDataService (bug 1531276), then we use it and pass the CLEAR_AUTH_TOKENS and CLEAR_AUTH_CACHE flags.

At a minimum, we should clear the cache on both removeCookies() and removedPasswords().

If we want to go beyond just Chrome compatibility, clearing the auth cache could become an optional parameter to browsingData.RemovalOptions indicating if the cache should be cleared. We could also offer a separate browsingData.removeHttpAuth() API if it seems like that would have value.

Priority: -- → P3

I checked whether there are any other ways to clear the HTTP auth cache via the browsingData API, and found the bug where this feature was introduced in Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=108291

The HTTP auth cache is cleared upon clearing cookies and upon clearing passwords, because:

  • When cookies are cleared, the user expectation is that existing web login sessions are ended - including the session that was opened by entering credentials for HTTP basic auth.
  • When passwords are deleted, the expectation is that remembered passwords are cleared - including the password from HTTP basic auth.

(In reply to Mike Conca [:mconca] from comment #1)

At a minimum, we should clear the cache on both removeCookies() and removedPasswords().

If we want to go beyond just Chrome compatibility, clearing the auth cache could become an optional parameter to browsingData.RemovalOptions indicating if the cache should be cleared. We could also offer a separate browsingData.removeHttpAuth() API if it seems like that would have value.

Being able to clear only HTTP auth credentials without clearing cookies or saved passwords sounds useful indeed.

As for the implementation in Firefox (desktop):

  • Currently the HTTP auth cache is cleared upon receiving "net:clear-active-logins". This notification clears all HTTP auth credentials, without a way to filter by time or host. The creation time of the credentials doesn't appear to be stored. The

  • The HTTP auth cache is also cleared when "clear-origin-attributes-data" is received. This notification is not specific to the HTTP auth cache; many others kinds of data is also deleted upon triggering this notification.
    This method does still not support time-based queries, but clearing by hosts is supported.

  • browsingData.removePasswords supports the "since" filter option (see clearPasswords in ext-browsingData.js).
    At the very least, we can just clear the HTTP cache if the "since" option is unset.
    Since HTTP auth tokens are typically recent, we can also consider removing the credentials even if "since" is set (without actually checki.

  • browsingData.removeCookies supports the "since" and "hostnames" filter option (see clearCookies in ext-browsingData.js.
    The note about "since" at the removePasswords method also applies to removeCookies.
    When the hostnames option is specified, clearing HTTP auth tokens for unrelated hosts may be unexpected. So we need to fix platform logic to support clearing HTTP auth credentials (e.g. by adding extra data to the "net:clear-active-logins" notification). If this is somehow not feasible, then I think that we should clear the full HTTP auth cache, regardless of the "hostnames" option, because not clearing (temporary) HTTP auth credentials is probably worse than clearing too many.

Firefox for Android (Fennec) supports removeCookies, but only with the "since" option (no "hostnames") (see clearCookies in (mobile) ext-browsingData.js).
Fennec does not support `removePasswords (if we ever decide to add support, it will probably appear as a dependency of bug 1362118).

Being able to clear only HTTP auth credentials without clearing cookies or saved passwords sounds useful indeed.

I filed a patch for this part in 1643914.

I didn't attach it here in case you want to use this bug to do some of the other things mentioned above, like clearing the HTTP auth cache upon clearing cookies and/or upon clearing passwords, etc

Flags: needinfo?(rob)

I'll take a look at the other bug. In the future, if you refer to a bug, please put "bug" in front of it, because then Bugzilla will automatically highlight it.

bug 1643914

Flags: needinfo?(rob)
See Also: → 1643914
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.