Open Bug 1618895 Opened 1 year ago Updated 5 months ago

Firefox receives cookies for a website that was set as blocked in the permission section

Categories

(Core :: Storage: localStorage & sessionStorage, defect, P2)

Product:
Core
Component:
Storage: localStorage & sessionStorage
Platform:
Desktop
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox84 --- wontfix
firefox85 --- fix-optional
firefox86 --- fix-optional

People

(Reporter: cbaica, Unassigned, NeedInfo)

Details

(Keywords: regression)

Attachments

(1 file)

bug cookies
2.00 MB, video/mp4
Details
Attached video bug cookies

Affected versions

  • Fx74.0b9
  • Fx75.0a1

Affected platforms

  • Windows 7

Steps to reproduce

  1. Launch Firefox.
  2. Go to about:preferences#privacy, scroll down to the 'Cookies and Site Data' and click 'manage permisions'.
  3. In the field write 'https://www.reddit.com', click the 'Block' button and save changes.
  4. In a new tab, navigate to the blocked website (reddit.com).
  5. After the website loads, switch back to the about:preferences#privacy page and refresh it.
  6. Scroll down to the 'Cookies and Site Data' section and click 'Manage Data'

Expected result

  • Cookies from reddit should not be displayed.

Actual result

  • Cookies from reddit.com are displayed.

Regression range

  • Will come back with a regression range ASAP.

Additional notes

  • Issue can't be reproduced on windows 10.
Summary: Firefox receives cookies for website that was set as blocked in the permission section → Firefox receives cookies for a website that was set as blocked in the permission section

I can't reproduce on OSX, but I guess you said that this only reproduces on Windows 7 anyway, which seems really weird to me. If this can be consistently reproduced getting a regression range would be nice.

Component: Permission Manager → Privacy: Anti-Tracking
Has Regression Range: --- → no
Has STR: --- → yes

As a side-note I've investigated the issue further on ubuntu and macOS 10.13. I've managed to reproduce the issue there as well.
I've ran the regression and here is the result:

Keywords: regression

Thanks. It's interesting that you can reproduce on OSX, but the regression range seems very unlikely.

Just to clarify, you're using a fresh profile, right? And without having been to reddit.com on that profile before?

Yes, I'm using a fresh profile every time, so there wouldn't be any 'residual' navigation data.
As for the regression range, I'm not sure wether it matters, but I got it on an ubuntu 18.04 machine.

Steven, could you set the priority flag for this bug?

Flags: needinfo?(senglehardt)

I can reproduce this on Nightly build 20200305212712 on Ubuntu 18.04.

However, I'm wondering if this is the expected functionality. The address entered in the video is https://www.reddit.com, and we see that no www.reddit.com cookies are set, only reddit.com. If instead enter https://reddit.com then no cookies are set, so I'm guessing we either use full hostname matching to the domain attribute of the cookie or eTLD+1.

Johann can you confirm that's the expected functionality?

Flags: needinfo?(senglehardt) → needinfo?(jhofmann)
Priority: -- → P2
Has Regression Range: no → yes

In the video storage is set, though. So maybe we have a place where storage code is not respecting the cookie permissions correctly? I don't think the site data manager is showing regular cache in the storage section, so it would have to be something like localStorage.

Component: Privacy: Anti-Tracking → Storage: localStorage & sessionStorage
Flags: needinfo?(jhofmann)

Something weird is definitely happening if I navigate to "reddit.com" like in the video. When I opened the network panel in devtools I was able to reproduce locally and the profile is showing that we are storing data in QuotaManager for the on-disk encoded origin of https+++www.reddit.com for both LSNG and the Cache API and there is a ServiceWorker registration for https://www.reddit.com/. The only thing in Cache API storage is the ServiceWorker's https://www.reddit.com/sw.js script.

My naive presumption would be that we're sending the non-existent permissions for "reddit.com" or for a pre-STS upgrade "http" origin down to the process, not "https://www.reddit.com". If the permission isn't making it into the process then it would make sense that StorageAllowedForWindow would return StorageAccess::eAllow when it shouldn't. This same check is used both for LocalStorage and for ServiceWorkers as called by ServiceWorkerContainer::Register.

I'm going to try and get a pernosco reproduction up now and without involving devtools.

Hi Andrew, any luck in getting the pernosco session?

Flags: needinfo?(bugmail)

I have managed to reproduce this issue on Mac OS 11 while running these steps:

  1. Open Firefox and go to about:preferences -> "Privacy & Security" section.
    Firefox is opened and "Privacy & Security" section is displayed
  2. Make sure that "Standard" option is set in the Enhanced Tracking Protection section.
    Standard is set by default
  3. Go to Cookies and Site Data -> click on "Manage Data..."
    You can see a list with many sites displayed
  4. In the "Cookies and Site Data" click on the "Manage Permissions..." button.
    The "Exceptions - Cookies and Site Data" dialog is opened.
  5. Add https://www.reddit.com/ in the field manually and hit the "Block" button.
    The website in question is added in the list with the "Block" status.
  6. Go to Reddit.
    The website will not be completely loaded as all cookies are automatically blocked.
  7. Go to Cookies and Site Data -> click on "Manage Data..."
    You can see a list of websites but https://www.reddit.com/ is NOT displayed on that list.

Reddit related cookies are shown in the list.

Considering previous comments, this appears not to be Windows 7 specific and somewhat intermittent.

status-firefox84: --- → affected
status-firefox85: --- → affected
OS: Windows 7 → All
You need to log in before you can comment on or make changes to this bug.