Forget about this site does not delete service workers

RESOLVED FIXED in Firefox 68

Status

()

defect
P1
normal
RESOLVED FIXED
3 months ago
Last month

People

(Reporter: johannh, Assigned: johannh)

Tracking

(Blocks 1 bug, Regression, {privacy, regression})

66 Branch
mozilla68
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox66 wontfix, firefox67 wontfix, firefox68 fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

Originally reported by Konark Modi in bug 1545605.

+++ This bug was initially created as a clone of Bug #1545605 +++

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Steps to reproduce:

Firefox Version: 66.0.3
BuildID: 20190409155332
OS: macOS 10.14.4

Visit the following pages:

  1. https://cdn.cliqz.com/browser-f/fun-demo/sw-test.html
  2. https://cdn.cliqz.com/browser-f/fun-demo/worker-test/index.html
    • Prompts for permission for notification. Allow it.
  3. https://independent.co.uk

Now:
History => Show All History => One by one right click on three sites above and select the option forget about this site.

Site is removed from this history.

Actual results:

Link 1. Service workers are not removed:
- about:debugging -> workers -> https://cdn.cliqz.com/browser-f/fun-demo/pwn.js
- On file system:
- serviceworker.txt:https://cdn.cliqz.com/browser-f/fun-demo/
- serviceworker.txt:https://cdn.cliqz.com/browser-f/fun-demo/pwn.js

Link 2: Notification data is not deleted
- Even after forget about this site, the filenotificationstore.json contains this entry:
notificationstore.json:{"https://cdn.cliqz.com":{"{6f28d939-daaf-cf45-ade2-cd2e4106421c}":{"id":"{6f28d939-daaf-cf45-ade2-cd2e4106421c}","title":"Hi there!","dir":"auto","lang":"","body":"","tag":"","icon":"","alertName":"https://cdn.cliqz.com#notag:{6f28d939-daaf-cf45-ade2-cd2e4106421c}","timestamp":1555623703582,"origin":"https://cdn.cliqz.com","data":"","mozbehavior":"{\"noclear\":false,\"noscreen\":false,\"showOnlyOnce\":false,\"soundFile\":\"\"}","serviceWorkerRegistrationScope":""},"{7691e4f8-7577-d14e-ade9-8234697931ee}":{"id":"{7691e4f8-7577-d14e-ade9-8234697931ee}","title":"Hi there!","dir":"auto","lang":"","body":"","tag":"","icon":"","alertName":"https://cdn.cliqz.com#notag:{7691e4f8-7577-d14e-ade9-8234697931ee}","timestamp":1555623703583,"origin":"https://cdn.cliqz.com","data":"","mozbehavior":"{\"noclear\":false,\"noscreen\":false,\"showOnlyOnce\":false,\"soundFile\":\"\"}","serviceWorkerRegistrationScope":""}}}

Link 3:
- serviceworker.txt:https://www.independent.co.uk/
- serviceworker.txt:https://www.independent.co.uk/sw.js
- Binary file storage/default/https+++www.independent.co.uk/.metadata matches
- Binary file storage/default/https+++www.independent.co.uk/.metadata-v2 matches
- Binary file storage/default/https+++www.independent.co.uk/ls/data.sqlite matches

If the user has first party isolation enabled, then after visiting link3 and forget about this site, these are the footprints on the disk. SiteSecurityServiceState.txt:www.google-analytics.com^firstPartyDomain=independent.co.uk:HSTS 0 18004 1566510996706,1,1,2
SiteSecurityServiceState.txt:fonts.googleapis.com^firstPartyDomain=independent.co.uk:HSTS 0 18004 1587160596528,1,0,2
SiteSecurityServiceState.txt:cdn.ampproject.org^firstPartyDomain=independent.co.uk:HSTS 0 18004 1587160595739,1,1,2
SiteSecurityServiceState.txt:stats.g.doubleclick.net^firstPartyDomain=independent.co.uk:HSTS 0 18004 1566510998402,1,1,2
Binary file cookies.sqlite matches
Binary file places.sqlite matches
serviceworker.txt:^firstPartyDomain=independent.co.uk
serviceworker.txt:https://www.independent.co.uk/
serviceworker.txt:https://www.independent.co.uk/sw.js
Binary file storage/default/https+++www.independent.co.uk^firstPartyDomain=independent.co.uk/.metadata matches
Binary file storage/default/https+++www.independent.co.uk^firstPartyDomain=independent.co.uk/.metadata-v2 matches
Binary file storage/default/https+++www.independent.co.uk^firstPartyDomain=independent.co.uk/ls/data.sqlite matches
Binary file webappsstore.sqlite matches

Expected results:

  • In all these scenarios, the expectation is that there is no footprint of the domain visited by the user. But in scenarios mentioned above it seems that's not the case.

  • Additionally, third-parties loaded on the webpage are not removed. Which seem like a known behaviour when first-party isolation is not enabled.

But if first party isolation is enabled, the user visits independent.co.uk and a third-party like google.com set's a key. On doing forget about this site, cookies for Google keyed with independent.co.uk are not removed, allowing Google to track the next time user visits independent.co.uk.

Flags: needinfo?(jhofmann)
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Flags: needinfo?(jhofmann)
Keywords: regression
Priority: P2 → P1
Regressed by: 1422365
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dd551956b332
Correctly clear Service Workers by hostname. r=baku
Attachment #9063967 - Attachment is obsolete: true
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8e51c8d00793
Correctly clear Service Workers by hostname. r=baku
Flags: needinfo?(jhofmann)
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.