Cookies are NOT cleaned when interaction timeout window is passed
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | wontfix |
People
(Reporter: hyacoub, Unassigned)
References
(Blocks 1 open bug)
Details
Affected versions
- 75.0a1 (2020-03-03)
Affected platforms
- macOS 10.14
- Windows 10 x64
Steps to reproduce
- Open Firefox and in about:config set privacy.purge_trackers.enabled=true.
- Navigate to one or two popular websites to create some cookies and site storage.
- Check the "Manage Cookies and Site Data" dialog from about:preferences#privacy to ensure that cookies and other site storage from domains on the TP list (https://github.com/englehardt/englehardt.github.io) were generated.
- Go to about:config and set the preference "privacy.userInteraction.expiration" to "1".
- Check the cookies from the "Manage Cookies and Site Data" dialog.
Expected result
- First party cookies are NOT cleaned when interaction timeout window is passed
Actual result
- All the cookies (first-party, third-party and other site storage) from the site on the TP list are cleared.
Note
All the scenarios are taken from the technical documentation: https://docs.google.com/document/d/1DWB6KSrw8Yquv3xqEdjIjdqgji1LQf1euPkPFcUdsl4/edit#
|
||
Comment 1•4 years ago
|
||
Your "actual result" looks correct to me. Did you mix up expected and actual here? :)
Assuming you did, you need to set the privacy.userInteraction.expiration before visiting the pages, so e.g. at the beginning of the session. Can you confirm that doing this resolves the issue?
|
Reporter | |
Comment 2•4 years ago
|
||
Sorry for that. I mixed the expected and actual results.
Cookies are NOT cleaned even after setting "privacy.userInteraction.expiration" pref before visiting the pages.
Do you have any extra tips?
|
|
||
Comment 3•4 years ago
|
||
I can't confirm. Setting privacy.userInteraction.expiration works fine for me. Which specific site are you seeing this for? Can you maybe make a screencast for this? :)
Thanks!
|
||
Comment 4•4 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #3)
I can't confirm. Setting
privacy.userInteraction.expirationworks fine for me. Which specific site are you seeing this for? Can you maybe make a screencast for this? :)Thanks!
Here is a set of more specific steps, that we used to reproduce this issue (after previously setting the preference "privacy.purge_trackers.enabled" to true):
- In a new tab, navigate to https://edition.cnn.com/ and open all the articles from the "Paid Content" section
- In a new tab, navigate to https://www.instagram.com/ and click on the Login with Facebook option
- In a new tab, navigate to https://www.amazon.com/
- Close all the tabs opened in the previous steps
- Go to about:config and set the preference "privacy.userInteraction.expiration" to "1"
- Restart the browser and check the "Manage Cookies and Site Data" dialog.
---> in this step, all the cookies from the Disconnect Tracking Protection list should be cleared (according to the received documentation, cookies should be cleared after modifying the "privacy.userInteraction.expiration" preference). Please see the screencast for more details:
https://imgur.com/6QOulwl
|
|
||
Comment 5•4 years ago
|
||
Went even further and enter the following snippet in the browser console:
await Components.classes["@mozilla.org/purge-tracker-service;1"].getService(Components.interfaces.nsIPurgeTrackerService).purgeTrackingCookieJars()
Even so, the cookie "www.instagram.com" is still not cleared. Please see the screencast: https://imgur.com/V8ss4Ny
Johan, shouldn't the setting of the preference "privacy.userInteraction.expiration" to "1", be enough for the clearance of all the cookies from the Disconnect Tracking protection list?
|
|
||
Comment 6•4 years ago
|
||
To repeat, please set the privacy.userInteraction.expiration pref to 1 before visiting the pages to collect tracking cookies. You could do it as the first step in a fresh profile, for example.
|
|
||
Comment 7•4 years ago
|
||
Simona, can you please try the same steps as in your previous comments while setting the pref before loading any pages?
|
|
||
Comment 8•4 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #7)
Simona, can you please try the same steps as in your previous comments while setting the pref before loading any pages?
Indeed, if I set the preference "privacy.userInteraction.expiration" to "1" from the beginning and I follow steps 1-6 from Comment 4 and then I run the snippet from Comment 5, I no longer see cookies from the TP list.
There is though, a cookie that I'm seeing even after the clearance that draws my attention "associates-amazon.com". Is this ok?
|
|
||
Comment 9•4 years ago
|
||
Alright, thanks for confirming that. associates-amazon.com is not a known tracker as of know, Steve, I assume that's intentional?
|
||
Comment 10•4 years ago
|
||
It's not on Disconnect's list. From a quick search it doesn't look like it's a particularly popular third party https://publicwww.com/websites/%22associates-amazon.com%22/. I tried following the steps in Comment 4 to see if I can find the website that sets the cookie, but had no luck. If we're able to find a non-amazon site that reliably embeds that domain as a third-party resource and if it appears to have tracking cookies, we can report it to Disconnect.
Simona, do you know which URL embeds content from associates-amazon.com?
|
|
||
Comment 11•4 years ago
|
||
(In reply to Steven Englehardt [:englehardt] from comment #10)
It's not on Disconnect's list. From a quick search it doesn't look like it's a particularly popular third party https://publicwww.com/websites/%22associates-amazon.com%22/. I tried following the steps in Comment 4 to see if I can find the website that sets the cookie, but had no luck. If we're able to find a non-amazon site that reliably embeds that domain as a third-party resource and if it appears to have tracking cookies, we can report it to Disconnect.
Simona, do you know which URL embeds content from
associates-amazon.com?
Yes, it's from https://www.amazon.com/
I'll pay attention to this cookie while testing, and I'll come back in the eventuality I find a non-amazon site.
|
||
Updated•4 years ago
|
Description
•