Closed Bug 1540117 Opened 8 months ago Closed 3 months ago

Incorrect warning about request to access cookie or storage

Categories

(Core :: Networking: Cookies, defect, P2)

66 Branch
Desktop
All
defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: kusmabite, Assigned: ehsan)

References

(Regressed 1 open bug)

Details

(Keywords: regression, Whiteboard: [necko-triaged])

Attachments

(3 files, 2 obsolete files)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Open up https://gitlab.freedesktop.org/ in Firefox, and open up the javacript console.

Actual results:

The following warning was output:

"Request to access cookie or storage on “https://storage.googleapis.com/fdo-gitlab-uploads/appearance/favicon/1/fdo-favicon.ico?GoogleAccessId=GOOGOEXJKVLVDILPMJ5V2WSY&Signature=o4KMVULFqD27NzCV3h7SxRSyZfY%3D&Expires=1553863896” was blocked because we are blocking all third-party storage access requests and content blocking is enabled."

Expected results:

No warning should have been output, as the request does not request storage.

If I capture the output with the network tab in the debug tools, I can see that these are the headers:

---8<---
HTTP/2.0 200 OK
x-guploader-uploadid: AEnB2UqG3JMKZNA2-QYjtkjLbBbhUt2GCZw61CuEN4ZjkXFrOCqhbIaJnABHkQQzik_gRaq2a1QO6_GddB0pLO9n90ISWL618eaY-EGvKDCgB7ewjdEjTsI
expires: Fri, 29 Mar 2019 12:44:03 GMT
date: Fri, 29 Mar 2019 12:44:03 GMT
cache-control: private, max-age=0
last-modified: Wed, 08 Aug 2018 15:23:27 GMT
etag: "ab3d69c106187c3a7df54a3a17cf9c29"
x-goog-generation: 1533741807914952
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1406
content-type: image/vnd.microsoft.icon
x-goog-hash: crc32c=BFcn5w==
x-goog-hash: md5=qz1pwQYYfDp99Uo6F8+cKQ==
x-goog-storage-class: REGIONAL
accept-ranges: bytes
content-length: 1406
server: UploadServer
alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
X-Firefox-Spdy: h2
---8<---

Nothing in here looks like cookies or storage to me. Perhaps it's a false-positive due to the "x-goog-storage-class: REGIONAL" or something along those lines?

I cannot reproduce your issue.

  1. Does this issue occur on Fedora? Which version of Fedora?
  2. Is it the Release version of Firefox that reproduces the issue? Please post the exact version.
  3. Does this issue occur on the latest Nightly browser?
    Get it from here: http://archive.mozilla.org/pub/firefox/nightly/2019/03/2019-03-30-09-33-31-mozilla-central/Firefox%20Installer.en-US.exe
  4. Which one is the JavaScript console?

Thank you for your contribution!

Flags: needinfo?(kusmabite)
  1. Yes, it happens on Fedora 29.
  2. It's the current distro-package of Fedora 29. The About dialog reports:
    "Firefox Quantum
    66.0.1 (64-bit)
    Mozilla Firefox for Fedora
    fedora - 1.0".
  3. That download-link is for Windows, I'm using Linux. If I download the Linux nightly from https://www.mozilla.org/en-US/firefox/channel/desktop/, the problem still occurs.
  4. Control + Shift + K, or "Web Developer" -> "Web Console" under the hamburger menu. You may have to reload the page with this open to see the warning.

But: I think I missed one step for reproduction: You also need to enable blocking of all 3rd party cookies. You can do so by going to "Settings" -> "Privacy and Security" -> "Content Blocking", and selecting the "Custom" radio-button. Then you check "Cookies" and choose "All third-party cookies (may cause websites to break)". With the "Standard" setting, no warning is emitted.

Flags: needinfo?(kusmabite)

That should have been "Options" -> "Privacy and Security" -> "Content Blocking", not "Settings" [...].

I confirm the reproduction of the behavior described by the reporter, however, I do not know whether it is valid or not.
I will set this bug's component as (Core) DOM. Hopefully, a developer will pick it up and decide how to address it.

I have to mention that this issue is not Fedora specific as it occurs on all platforms and versions.
Thank you for your contribution!

Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → Desktop
Component: Untriaged → DOM: Web Storage
Product: Firefox → Core
Component: DOM: Web Storage → Tracking Protection
Product: Core → Firefox
Component: Tracking Protection → Privacy: Anti-Tracking
Product: Firefox → Core

Can you still reproduce the issue? I cannot in the latest nightly.

Flags: needinfo?(daniel.bodea)
Priority: -- → P2

Still fails for me on Firefox 68.0.

I have tested main versions on Windows 10 and found that it does not reproduce in Nightly v70.0a1, but it does reproduce in Beta v69.0b6.

Furthermore, I have attempted to find the fix using mozregression and these are my results:

2019-07-23T14:03:46: INFO : Narrowed inbound regression window from [8cc6bacf, 80e58bbe] (3 builds) to [8cc6bacf, a39c6716] (2 builds) (~1 steps left)
2019-07-23T14:03:46: DEBUG : Starting merge handling...
2019-07-23T14:03:46: DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=a39c67169747c1dbd184c14c11aa6bdd3d61db93&full=1
2019-07-23T14:03:47: DEBUG : Found commit message:
Bug 1544864 - Enable Show Content Messages in browser console. r=bgrins.

This patch removes the preference we were using to
display the checkbox in the Browser Console; it's now
always displayed there.

We flip the pref to show content messages ini tests that need them.

Differential Revision: https://phabricator.services.mozilla.com/D34996

2019-07-23T14:03:47: DEBUG : Did not find a branch, checking all integration branches
2019-07-23T14:03:47: INFO : The bisection is done.
2019-07-23T14:03:47: INFO : Stopped

Flags: needinfo?(daniel.bodea)

(In reply to Erik Faye-Lund from comment #0)

Open up https://gitlab.freedesktop.org/ in Firefox, and open up the javacript console.

Actual results:

The following warning was output:

"Request to access cookie or storage on “https://storage.googleapis.com/fdo-gitlab-uploads/appearance/favicon/1/fdo-favicon.ico?GoogleAccessId=GOOGOEXJKVLVDILPMJ5V2WSY&Signature=o4KMVULFqD27NzCV3h7SxRSyZfY%3D&Expires=1553863896” was blocked because we are blocking all third-party storage access requests and content blocking is enabled."

Note here in the log message we're saying because we are blocking all third-party storage access requests. This means that in Preferences, Privacy & Security, Content Blocking, Custom, Cookies you have selected "All third-party cookies (may cause websites to break)".

This tells Firefox to strip all cookies and storage access from any third-party context, including the request from the URL above.

Expected results:

No warning should have been output, as the request does not request storage.

In fact all HTTP requests internally "request" storage, in the sense that they look up the cookies database to see if a matching cookie should be attached to them. The problem is that when that request fails, we notify that we "rejected" the request (which will eventually result in this console warning) even if there was no cookie to begin with.

This should be easy to fix...

Assignee: nobody → ehsan
Component: Privacy: Anti-Tracking → Networking: Cookies
Whiteboard: [necko-triaged]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c93e83feda5e
Part 1: Do not generate a console warning when we reject an attempt to retrieve a cookie for a host that has none stored; r=baku
https://hg.mozilla.org/integration/autoland/rev/1dc867e1d4b2
Part 2: Add a pref to allow turning off the lazy reporting off anti-tracking warnings to the web console; r=baku
https://hg.mozilla.org/integration/autoland/rev/1dcf5956a3f1
Part 3: Add unit tests for ensuring that the right set of console messages are captured during the anti-tracking test suite, and also add test coverage for BEHAVIOR_REJECT_FOREIGN; r=baku
Flags: needinfo?(ehsan)
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/11837979956b
Part 1: Do not generate a console warning when we reject an attempt to retrieve a cookie for a host that has none stored; r=baku
https://hg.mozilla.org/integration/autoland/rev/fcc060bc9677
Part 2: Add a pref to allow turning off the lazy reporting off anti-tracking warnings to the web console; r=baku
https://hg.mozilla.org/integration/autoland/rev/1f918cd124a8
Part 3: Add unit tests for ensuring that the right set of console messages are captured during the anti-tracking test suite, and also add test coverage for BEHAVIOR_REJECT_FOREIGN; r=baku
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e30c654504e6
Part 4: Fix browser_webconsole_trackingprotection_errors.js by ensuring that the test page does set a cookie. r=fix CLOSED TREE
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c72fb6d63304
Part 5: Fix browser_webconsole_warning_group_content_blocking.js too by ensuring that the test image does set a cookie. r=fix CLOSED TREE

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

Attachment #9088538 - Attachment is obsolete: true
Attachment #9088507 - Attachment is obsolete: true
Regressions: 1577362
You need to log in before you can comment on or make changes to this bug.