digitru.st domain not treated as a tracker
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
People
(Reporter: John, Assigned: englehardt)
Details
Attachments
(2 files)
Screen Shot for the third-party cookie
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15
Steps to reproduce:
- Load https://www.sfgate.com/
- Look at the cookie view in Web Developer Tools.
(I'm filing this as a security issue in case you treat privacy issues as such. Just open up the bug if this categorization is wrong.)
Actual results:
The cdn.digitru.st iframe has a two-year, high entropy cookie set (see attached screenshot).
The first-party main frame has a short-lived copy of the digitru.st cookie.
Expected results:
I have the standard Enhanced Tracking Protection setting enabled under Privacy & Security. It says tracking cookies should be blocked so I expect digitru.st to neither be able to set new cookies nor be able to access existing ones.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
I've filed https://github.com/disconnectme/disconnect-tracking-protection/issues/109 for this. I will follow-up once we hear back from Disconnect.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
Disconnect has staged this here: https://github.com/mozilla-services/shavar-prod-lists/pull/90. We are at the tail end of some work to re-configure the way we manage lists, so it's been blocked on that. I expect this fix will ship in Firefox 73.
|
|
Assignee | |
Comment 4•5 years ago
|
||
https://github.com/mozilla-services/shavar-prod-lists/pull/90 has been merged. I've confirmed this is now blocked in Nightly 73, and will ship to release users with the 73 release.
Description
•