HTTP authentication cache cannot be cleared through the browsingData API
Categories
(WebExtensions :: Compatibility, enhancement, P3)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
Details
From https://armin.dev/blog/2019/03/firefox-extensions-browsing-data-security/
Certain extensions make it possible to forget cookies and authentication data when users navigate away from a page or close a tab.
browser.browsingData.removeCookies({hostnames: ['example.com']})
There is no dedicated interface for clearing the HTTP authentication cache in any of the major browsers, though Chrome respects user intent by clearing this cache when cookies or passwords are deleted.
Firefox does not clear the HTTP authentication cache when the
browsingData.removeCookies()
orbrowsingData.removePasswords()
function is called, allowing sites to track previously logged in users until the browser is closed.
This could be fixed by calling Sanitizer.items.sessions.clear()
(which in turn triggers a "net:clear-active-logins"
notification, among other things) at the clearPasswords
handler.
If we switch to nsIClearDataService
(bug 1531276), then we use it and pass the CLEAR_AUTH_TOKENS
and CLEAR_AUTH_CACHE
flags.
Comment 1•5 years ago
|
||
At a minimum, we should clear the cache on both removeCookies() and removedPasswords().
If we want to go beyond just Chrome compatibility, clearing the auth cache could become an optional parameter to browsingData.RemovalOptions
indicating if the cache should be cleared. We could also offer a separate browsingData.removeHttpAuth()
API if it seems like that would have value.
Reporter | ||
Comment 2•5 years ago
|
||
I checked whether there are any other ways to clear the HTTP auth cache via the browsingData API, and found the bug where this feature was introduced in Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=108291
The HTTP auth cache is cleared upon clearing cookies and upon clearing passwords, because:
- When cookies are cleared, the user expectation is that existing web login sessions are ended - including the session that was opened by entering credentials for HTTP basic auth.
- When passwords are deleted, the expectation is that remembered passwords are cleared - including the password from HTTP basic auth.
(In reply to Mike Conca [:mconca] from comment #1)
At a minimum, we should clear the cache on both removeCookies() and removedPasswords().
If we want to go beyond just Chrome compatibility, clearing the auth cache could become an optional parameter to
browsingData.RemovalOptions
indicating if the cache should be cleared. We could also offer a separatebrowsingData.removeHttpAuth()
API if it seems like that would have value.
Being able to clear only HTTP auth credentials without clearing cookies or saved passwords sounds useful indeed.
As for the implementation in Firefox (desktop):
-
Currently the HTTP auth cache is cleared upon receiving
"net:clear-active-logins"
. This notification clears all HTTP auth credentials, without a way to filter by time or host. The creation time of the credentials doesn't appear to be stored. The -
The HTTP auth cache is also cleared when
"clear-origin-attributes-data"
is received. This notification is not specific to the HTTP auth cache; many others kinds of data is also deleted upon triggering this notification.
This method does still not support time-based queries, but clearing by hosts is supported. -
browsingData.removePasswords
supports the "since" filter option (seeclearPasswords
in ext-browsingData.js).
At the very least, we can just clear the HTTP cache if the "since" option is unset.
Since HTTP auth tokens are typically recent, we can also consider removing the credentials even if "since" is set (without actually checki. -
browsingData.removeCookies
supports the "since" and "hostnames" filter option (seeclearCookies
in ext-browsingData.js.
The note about "since" at theremovePasswords
method also applies toremoveCookies
.
When thehostnames
option is specified, clearing HTTP auth tokens for unrelated hosts may be unexpected. So we need to fix platform logic to support clearing HTTP auth credentials (e.g. by adding extra data to the"net:clear-active-logins"
notification). If this is somehow not feasible, then I think that we should clear the full HTTP auth cache, regardless of the "hostnames" option, because not clearing (temporary) HTTP auth credentials is probably worse than clearing too many.
Firefox for Android (Fennec) supports removeCookies
, but only with the "since" option (no "hostnames") (see clearCookies
in (mobile) ext-browsingData.js).
Fennec does not support `removePasswords (if we ever decide to add support, it will probably appear as a dependency of bug 1362118).
Being able to clear only HTTP auth credentials without clearing cookies or saved passwords sounds useful indeed.
I filed a patch for this part in 1643914.
I didn't attach it here in case you want to use this bug to do some of the other things mentioned above, like clearing the HTTP auth cache upon clearing cookies and/or upon clearing passwords, etc
Reporter | ||
Comment 4•4 years ago
|
||
I'll take a look at the other bug. In the future, if you refer to a bug, please put "bug" in front of it, because then Bugzilla will automatically highlight it.
Updated•2 years ago
|
Description
•