Open Bug 1651282 Opened 4 years ago Updated 9 months ago

Cookies and session state maintained across tabs and windows in incognito mode

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
77 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: ganeshramc, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

  1. Open incognito window
  2. Login to a website, let's say paypal.com
  3. Open new tab and go to paypal.com (you'll be logged in)
  4. Open new window and go to paypal.com (you'll be logged in)
  5. Close all incognito windows and open a new incognito window and go to paypal.com (you'll be logged in)

Actual results:

Cookies and session state for websites are maintained across tabs and new windows in incognito mode. This leads to potential information leakage through the cookies if you want to browse something else in a new incognito mode.

Expected results:

Ideally when opening a new tab in incognito mode, it is expected for the session state and cookies to not be carried over. A new tab is something that can be accepted but a new window seems to be the bigger problem since typically a person opens a new incognito window so the previous incognito window's details are not carried over.

Only way to get around this as in remove the session state and cookies in incognito mode is to quit the firefox application altogether completely which resets the storage for incognito.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Session Restore

The severity field is not set for this bug.
:mikedeboer, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mdeboer)

I can't reproduce this, namely point #5.

If I close all incognito windows, all incognito-related state is flushed for me, which is as expected.

Redirect a needinfo that is pending on an inactive user to the triage owner.
:dao, since the bug has recent activity, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mdeboer) → needinfo?(dao+bmo)
You need to log in before you can comment on or make changes to this bug.