Closed Bug 1595585 Opened 3 months ago Closed 2 months ago

digitru.st domain not treated as a tracker

Categories

(Core :: Privacy: Anti-Tracking, defect)

70 Branch
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: John, Assigned: englehardt)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15

Steps to reproduce:

  1. Load https://www.sfgate.com/
  2. Look at the cookie view in Web Developer Tools.

(I'm filing this as a security issue in case you treat privacy issues as such. Just open up the bug if this categorization is wrong.)

Actual results:

The cdn.digitru.st iframe has a two-year, high entropy cookie set (see attached screenshot).
The first-party main frame has a short-lived copy of the digitru.st cookie.

Expected results:

I have the standard Enhanced Tracking Protection setting enabled under Privacy & Security. It says tracking cookies should be blocked so I expect digitru.st to neither be able to set new cookies nor be able to access existing ones.

Attachment #9107902 - Attachment description: Screen Shot 2019-11-08 at 4.07.24 PM.png → Screen Shot 2019-11-08 for the third-party cookie
Attachment #9107902 - Attachment description: Screen Shot 2019-11-08 for the third-party cookie → Screen Shot for the third-party cookie
Group: firefox-core-security
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Assignee: nobody → senglehardt
Status: UNCONFIRMED → NEW
Ever confirmed: true

I've filed https://github.com/disconnectme/disconnect-tracking-protection/issues/109 for this. I will follow-up once we hear back from Disconnect.

Status: NEW → ASSIGNED

Disconnect has staged this here: https://github.com/mozilla-services/shavar-prod-lists/pull/90. We are at the tail end of some work to re-configure the way we manage lists, so it's been blocked on that. I expect this fix will ship in Firefox 73.

https://github.com/mozilla-services/shavar-prod-lists/pull/90 has been merged. I've confirmed this is now blocked in Nightly 73, and will ship to release users with the 73 release.

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.