Closed Bug 1777307 Opened 2 years ago Closed 2 years ago

Addon Cookie API - Cookie source by "Window Id" and "Tab Id"

Categories

(WebExtensions :: Storage, enhancement)

Product:
WebExtensions
Component:
Storage
Version:
Firefox 101
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jan, Unassigned)

Details

Attachments

(1 file)

fg_cookie_list.png
74.07 KB, image/png
Details
Attached image fg_cookie_list.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

Working on the add-on "Flag cookies" using "onCookieChanged" event listener to track dynamic cookie additions. Labeled as "Cross Origin" in the attached screenshot.

Actual results:

The cookie information (changeInfo) of "onCookieChanged" miss a source of origin, For example the "Window ID" and "Tab Id" properties, like it is the case for tabs to relate which tab (/domain) the request originated from.

Expected results:

All Cookie API provided cookie information should include a "Window Id" and "Tab Id".

The Bugbug bot thinks this bug should belong to the 'Core::Networking: Cookies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core
Component: Networking: Cookies → Storage
Product: Core → WebExtensions

Cookies are not specific to a specific window or tab. At the level where the extension API hooks into, it's not known where the cookie read/write access originated.

If you want to reliably attribute cookies to a specific origin, then the cookie jar would have to be somewhat independent of others. If it's acceptable to the user, ways to do so include:

  • Using container tabs (cookieStoreId in the cookies/tabs extension APIs)
  • When First-Party Isolation is enabled (firstPartyDomain in cookies API, derived from tab.url)
  • When dynamic First-Party Isolation (aka Total Cookie Protection) is enabled (partitionKey in the cookies API, derived from tab.url)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

This are rather difficult suggestions to work with. Cookies can be detected, even dynamically read or created ones. But how come it is not possible to decide, whether the cookie original was loaded on a particular tab or window?

Its the exact information which I miss most. I can dynamically read XmlHttpRequest and other cookies "changeInfo" objects, which are added on the fly. - But there is no way to figure out, in case of more then one active tab, where the cookie was added as there is no specification for it.

Cookies are independent of tabs/windows. They are associated with specific domains/websites, and stored in some database. The implementation of the cookies API accesses these cookies through the database, at an abstraction level where the "original" tab is unknown.

You would have to monitor all requests in a tab to see all relevant URLs.

If you don't care about non-document cookies, then you could also use webNavigation.getAllFrames to query the relevant (document) URLs on demand.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: