Cookie on sandbox
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: vpodkamenyi, Unassigned, NeedInfo)
References
()
Details
(Keywords: regression)
Attachments
(1 file)
|
369.09 KB,
image/png
|
Details |
Firefox 68 sends cookie from IFRAME with sandbox attribute.
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Steps to reproduce:
Embedding image using IFRAME with empty "sandbox" attribute.
More details on StackOwerflow: https://stackoverflow.com/q/51549390/5438323
Screenshots: https://imgur.com/a/fQ0tgBU
Actual results:
Firefox 68: The IFRAME with empty "sandbox" attribute send cookie.
Firefox 67: Works fine.
Firefox 66: Works fine.
Expected results:
The IFRAME with empty "sandbox" attribute should not send cookie.
|
||
Comment 1•6 years ago
|
||
I haven't confirmed this yet. Chris, can you take a look? Thanks!
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
Interesting that all the browsers (according to StackOverflow) agreed that there are no cookies sent in this case, but I don't know a reason why. Anne: any idea what spec might cover this? CSS images sending cookies when loaded from a null origin in a sandbox? Why wouldn't images send cookies in every context?
jkt tried reproducing and we seem to send cookies on the testcase in old Firefox 59 and Firefox 53 builds, so I'm not sure why the stack overflow people think it worked.
Also interesting that this is a feature lots of developers seem to want. Like ReferrerPolicy, maybe this is something we should consider making into a standard.
|
||
Comment 3•6 years ago
|
||
- Open mozregression with
mozregression --bad 2019-08-06 --good 2018-01-01 - Open STR page (http://languid-barracuda.glitch.me/) see no cookies sent
- Open the request image in a new tab
- Reload
Cookies were sent for me with 59.0a1, 68.0.1esr, 53.0a1, 67.0a1, 70.0a1
Notably my 70.0a1 setup was blocking stackoverflow initially due to tracking protection and then it sent after tracking protection was disabled.
I'm unable to reproduce this issue.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 4•6 years ago
•
|
||
Another note, the SameSite=Lax change that both Chrome and Firefox will be pushing will make this not work also.
network.cookie.sameSite.laxByDefault=true in config means the cookies aren't sent and the change will match Chrome stable.
Chrome also for me in stable wasn't showing the cookies, I had to change to run a local server to see that it is in fact sending cookies.
|
||
Comment 5•6 years ago
|
||
Given that Chrome also appears to be sending cookies (though this is not clear from their developer console) and the standard for sandboxing doesn't say anything about suppressing cookies, clearing my needinfo and verifying. Thanks jkt for the help!
|
Reporter | |
Comment 6•6 years ago
|
||
Hello, thank you for taking care about this issue.
But Firefox 67 and 68 work differently.
Here are two screenshots:
- Firefox 67: does not send cookie header;
- Firefox 68: sends cookie header;
|
|
||
Comment 7•6 years ago
|
||
And you've navigated to stackoverflow.com before in both? (If there are no cookies in your cache, none will be transmitted.)
|
|
||
Comment 8•6 years ago
|
||
Testing with https://ftp.mozilla.org/pub/firefox/releases/67.0.4/linux-x86_64/en-US/firefox-67.0.4.tar.bz2 I don't see this at all. I tried 67.0.4, 68.0 and 67.0 all with the same behaviour.
Using the following STR with a fresh profile:
- Create a tab with https://stackoverflow.com/
- Create a tab and open inspector
- Navigate previous tab to http://languid-barracuda.glitch.me/
- Look at the network panel for the image and see cookies.
Please ensure you visit stackoverflow first, I'm unable to replicate this at all in any build. The only time I have seen it not sent is in the followin configs:
- Disable third party cookies
- Tracking protection was enabled
If you have more information on your setup I can look into it further.
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Description
•