Open Bug 1695054 Opened 4 years ago Updated 2 years ago

Cross-site tracking will not honor the revocation of privileges

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 86
Type:
defect

Tracking

()

People

(Reporter: bugzilla, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

Logged into Outlook mail client at https://outlook.live.com/owa/
Clicked LOGIN button (top left)
Site information in Firefox address bar shows that I have grated permissions to this website temporarily for cross-site cookies.
"X" out the Allow Temporarily option
I logged into my email account

Actual results:

The Allow Temporarily option returns.

Expected results:

I assume the Allow Temporarily cross-site tracking should be disabled.

This seems like a UI or privacy issue, but it isn't a remotely exploitable security hole in Firefox that needs to be hidden to avoid users being put at risk, so I'm removing the security group that hides it from most people - this will also help more people see the issue so they can help triage, diagnose and fix it as appropriate.

Group: firefox-core-security
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

I'd like to correct a few steps here. Apologies in advance.

  1. Launch Firefox
  2. Access https://outlook.live.com - this changes the URL to https://outlook.live.com/OWA
  3. Cross site permissions keys not present
  4. Click Sign In, cross-site permissions keys appear
  5. Hovering over locks shows permissions granted on https://outlook.live.com
  6. X out the Temporarily Allow option
  7. Refresh the page per security notice
  8. Permissions granted disappears
  9. Log into email
  10. Cross-site cookies for https://outlook.live.com reappears

Additional issue(s)

After logging into email and disabling cross-site cookies and refreshing page, additional permissions disappear. However, if I navigate to another website, then access https://outlook.live.com again, I am still logged into my email, but the cross-site tracking permissions return.

Even if I am logged into email, get rid of the cross-site tracking permissions, refresh the page and simply click my login link of https://outlook.live.com, I am still logged into email but the cross-site tracking permission reappears.

I have my Browser Privacy Set to Strick and, as far as I can tell I haven’t granted the temporary cross-site permissions

See Also: → 1683165
Severity: -- → S3
Priority: -- → P3
Flags: needinfo?(jhofmann)

We've discussed this internally in the past and I don't think we have a great solution to this yet, but are aware of the inconvenience and are still looking for a better solution.

Flags: needinfo?(mail)
Status: UNCONFIRMED → NEW
Ever confirmed: true

It looks like FF has changed quite a bit since this bug was reported and I’m now unable to replicate using the steps I provided. Has this issue been resolved or are the steps to recreate now different?

Flags: needinfo?(tihuang)

I think it's because the steps now don't trigger the behavior to happen. AFAICT, we haven't changed the behavior of the temporary cross-site cookie permission.

Flags: needinfo?(tihuang)
You need to log in before you can comment on or make changes to this bug.