Cookies and session state maintained across tabs and windows in incognito mode
Categories
(Firefox :: Session Restore, defect)
Tracking
()
People
(Reporter: ganeshramc, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Steps to reproduce:
- Open incognito window
- Login to a website, let's say paypal.com
- Open new tab and go to paypal.com (you'll be logged in)
- Open new window and go to paypal.com (you'll be logged in)
- Close all incognito windows and open a new incognito window and go to paypal.com (you'll be logged in)
Actual results:
Cookies and session state for websites are maintained across tabs and new windows in incognito mode. This leads to potential information leakage through the cookies if you want to browse something else in a new incognito mode.
Expected results:
Ideally when opening a new tab in incognito mode, it is expected for the session state and cookies to not be carried over. A new tab is something that can be accepted but a new window seems to be the bigger problem since typically a person opens a new incognito window so the previous incognito window's details are not carried over.
Reporter | ||
Comment 1•4 years ago
|
||
Only way to get around this as in remove the session state and cookies in incognito mode is to quit the firefox application altogether completely which resets the storage for incognito.
Comment 2•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 3•4 years ago
|
||
The severity field is not set for this bug.
:mikedeboer, could you have a look please?
For more information, please visit auto_nag documentation.
I can't reproduce this, namely point #5.
If I close all incognito windows, all incognito-related state is flushed for me, which is as expected.
Comment 5•9 months ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:dao, since the bug has recent activity, could you have a look please?
For more information, please visit BugBot documentation.
Description
•