Open Bug 1581526 Opened 6 years ago Updated 11 months ago

Builtin content blocking is being set off by XHR in WebExtension, stripping cookies

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
69 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: ccfb3ee765a58cae, Unassigned)

Details

Attachments

(1 file)

testcase.zip
880 bytes, application/zip
Details
Attached file testcase.zip

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Happens on Firefox 69 and Nightly 71

Enable tracking protection. Use either the standard/strict settings, or in custom, enable "Cookies: Third-party trackers", "Cookies: All third party cookies", or "Cookies: All cookies"

Load this extension:

manifest.json

{
    "manifest_version": 2,
    "name": "webextensions cookie bug test case",
    "version": "1.0",
    "background": {
        "scripts": ["background.js"]
    },
    "permissions": [
        "https://*.reddit.com/*"
    ]
}

background.json

async function doThing() {
  // when logged into reddit, this URL should list posts from your subscribed subreddits
  // otherwise, it shows the /r/popular multireddit
  const response = await fetch("https://www.reddit.com/new.json");
  const json = await response.json();
  console.table(json.data.children);
}
doThing();

Actual results:

This warning:

Request to access cookie or storage on “https://www.reddit.com/new.json” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

Request is successful, but cookies are not sent.

Expected results:

WebExtensions background scripts should probably be able to bypass these tracker blocker heuristics.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Tracking Protection
Component: Tracking Protection → Privacy: Anti-Tracking
Product: Firefox → Core

Based on what Comment 0 describes, this look the current expected behavior, introduced in Bug 1525917 (which was related to the exact opposite expectation, "WebExtensions pages to respect the global cookie policy").

As described in the MDN docs related to the Host permissions, the extensions should still able to bypass tracking protection if the host is a full domain without wildcards.

This means that including an host permission like <all_urls> or https://*.reddit.com/* (as in the test extension attached to this issue) doesn't allow the extension to bypass the tracking protection checks as globally configured by the user, but with an host permission like https://www.reddit.com/* it does.

would you mind to try to apply the suggested change to the extension manifest (https://*.reddit.com/* => https://www.reddit.com/*) and confirm that it allows the extension to bypass the tracking protection as expected?

Flags: needinfo?(ccfb3ee765a58cae)
Severity: normal → S3

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit auto_nag documentation.

Flags: needinfo?(ccfb3ee765a58cae)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: