Closed Bug 1696287 Opened 4 years ago Closed 4 years ago

Pocket cookie doesn't get removed if logging out at getpocket.com

Categories

(Firefox :: Pocket, defect)

Product:
Firefox
Component:
Pocket
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox88 --- verified

People

(Reporter: thecount, Assigned: thecount)

Details

Attachments

(1 file)

Bug 1696287 - Fixing Pocket cookie host check.
48 bytes, text/x-phabricator-request
Details | Review

I'm not able to reproduce this myself, but I've seen it happen for others.

Steps:

  1. On Nightly
  2. Signed in with your account
  3. Log out from getpocket.com/my-list
  4. Confirm that you don’t see either ftv1 or fsv1 cookies
  5. Go to: https://getpocket.com/explore/item/surprising-ways-to-beat-anxiety-and-become-mentally-strong-according-to-science?utm_source=pocket-newtab
  6. Confirm I still don’t see those cookies
  7. Click save from toolbar - still saves
  8. Log back in to same account
  9. Confirm link is in my account

I can reproduce it if I set privacy.firstparty.isolate.use_site to true, but that's not how it's happening for the people that can reproduce, so not the main cause, but possibly related?

Moving to Anti-Tracking on suspicion, though it might not actually be related to our protections.

Component: General → Privacy: Anti-Tracking
Product: Firefox → Core

I tried to reproduce this issue by using a new profile with privacy.firstparty.isolate.use_site set to true. But I cannot reproduce this.

This pref will only take effect if you enable privacy.firstparty.isolate. Did you enable FPI when tested this?

Note that I couldn't reproduce this even with FPI enabled. Maybe I didn't test it right.

Flags: needinfo?(sdowne)

I did set privacy.firstparty.isolate initially, yeah. It tested that before use_site, then tested both, and saw the bug.

I then turned off privacy.firstparty.isolate to see if you needed both, or if use_site was enough.

When I tested again, I still saw the bug, but I tried that again this morning, and I think it's only happening if both are set.

I probably just made a mistake last night with my testing, looks like yeah you need both privacy.firstparty.isolate and privacy.firstparty.isolate.use_site, which is just for me. For others, it happens without the prefs set.

Flags: needinfo?(sdowne)

We did some testing with the profile that can reproduce, and I think this got us some new information.

We tried a new profile in that browser with the same Pocket account, and the issue was not happening.

We tried a new Pocket account in the profile with the issue, and while logged into the new Pocket account, it would save Pocket articles to the new account. As soon as we logged out of the new account, it started to return the old cookie again, and started to save things to the old account even if completely logged out of both accounts.

Got a report of this happening on 86 (release) now.

Is the above comments info helpful at all?

The profile on release that this is happening is an employee that I can connect someone with if we want to dig in and debug.

Flags: needinfo?(tihuang)

Thanks, they are really helpful.

I can reproduce this issue by using the following steps.

  1. Open a new profile
  2. Turn privacy.firstparty.isolate on
  3. Log in the pocket through either the pocket icon or website.
  4. Turn privacy.firstparty.isolate.use_site on

After step4, you can observe the issue that the website is logged out but the page can still be saved via the icon on the URL bar.

I think the root cause of this case is that the pocket icon on the URL bar isn't aware of the pref privacy.firstparty.isolate.use_site. So, it will get the wrong cookie, meaning the cookie added when privacy.firstparty.isolate.use_site is off.

But I have no clue about why this would happen without touching these two prefs. Maybe we can find something from the cookies of getpocket.com. Could you provide cookies to me?

Note that the storage panel of the devtools doesn't show the first party domain. So, I would recommend using addons to get cookies, such as Cookie Quick Manager. Thanks.

Flags: needinfo?(tihuang)

Got this sorted out, and I think given the solution, it makes the most sense to move this to the Pocket component.

Thanks all for the help tracking this down.

Component: Privacy: Anti-Tracking → Pocket
Product: Core → Firefox

To test

  1. Setup a new profile.
  2. Log into Pocket.
  3. Save an article newtab provides a good selection.
  4. Enable the addon cookie quick manager https://addons.mozilla.org/en-CA/firefox/addon/cookie-quick-manager/
  5. Using the addon, find the getpocket.com cookie for ftv1 and fsv1.
  6. Using the addon, copy and recreate those cookies in api.getpocket.com.
  7. Log out of Pocket.
  8. Try to save an article.

Expected: Should not be able to save the article, because you logged out.

Assignee: nobody → sdowne
Status: NEW → ASSIGNED
Pushed by sdowne@getpocket.com: https://hg.mozilla.org/integration/autoland/rev/8803bc71047a Fixing Pocket cookie host check. r=gvn

https://hg.mozilla.org/mozilla-central/rev/8803bc71047a

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Flags: qe-verify+

Hello! Reproduced the issue using Firefox 88.0a1 (20210303215027) on Windows 10x64 using STR from comment 7 and comment 10.
With Firefox 88.0b9 (20210408190318) I can no longer reproduce the issue using STR from comment 10 but I can still reproduce it using str from comment 7. Is this expected? Thank you!

Flags: needinfo?(sdowne)

Yup, that's expected.

Comment 7 was while we we still trying to figure out what was happening. It ended up being not related.

Flags: needinfo?(sdowne)

Thank you, Scott!
Verified fixed using STR from comment 10 with Firefox 88.0 (20210412175251) on Windows 10x64, macOS 11.2.3 and Ubuntu 20.04.

Status: RESOLVED → VERIFIED
status-firefox88: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: