The notification permission granted in normal browsing mode also applies to private browsing
Categories
(Fenix :: General, task, P2)
Tracking
(firefox105 wontfix, firefox106 wontfix, firefox107 wontfix, firefox108 wontfix, firefox109 verified)
People
(Reporter: csadilek, Assigned: amejia)
References
Details
(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [geckoview:m107] [geckoview:m108][adv-main109+])
Attachments
(2 files)
Originated from bug report https://bugzilla.mozilla.org/show_bug.cgi?id=1784741
In Firefox on Android, the user's allow/deny selection in Normal Browsing Mode is carried over to Private Browsing Mode in Notification Permission. This vulnerability risks allowing the display of notifications that should not be displayed based on different sessions (e.g., past Private Browsing Mode sessions that should have been discarded or sessions in a different browsing mode).
Reporter | ||
Comment 1•2 years ago
|
||
The notification permission is granted per application currently. With the work required for Android 13 to switch to runtime permissions for notifications, we could also introduce separate notification channels for different browsing contexts.
Comment 2•2 years ago
|
||
The per-app permission is the per-app permission: websites can't detect that. Assuming you've granted the permission to the app, and then grant it to an origin in Normal browsing (say, your webmail or chat site), does a private browsing session on the same origin get that permission or does it have to ask the user separately?
Reporter | ||
Comment 3•2 years ago
|
||
The per-app permission is the per-app permission: websites can't detect that.
Sure, sorry for the terse comment#1. Fenix currently stores Notifications permissions per app (OS permission) and per origin (Gecko storage), but not per browsing context. We should fix both, in my opinion. Even the global app permissions could be separate for private browsing mode, but this bug is mainly about the latter.
does a private browsing session on the same origin get that permission or does it have to ask the user separately?
For Notifications it currently gets it. Jon and I looked into this today and we'll file tickets for the changes we need tomorrow. This is mitigated in my testing because service workers don't run in private browsing, which would mostly trigger notifications. For other permissions, e.g., location, we display a "Remember decision for this site" checkbox, and once checked they will apply to private browsing as well. Both is wrong. We should ask again for private browsing mode.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 4•2 years ago
|
||
107
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 6•2 years ago
|
||
Daniel, this bug is marked as a security issue, but it has no sec-
rating keyword. What priority do you recommend?
Comment 7•2 years ago
|
||
sec-moderate.
I thought site permissions were handled by Gecko (not the UI part, obviously) and already handled origin attributes. Is Fenix rolling it's own?
Comment 8•2 years ago
|
||
P2 for sec-moderate bug
I thought site permissions were handled by Gecko (not the UI part, obviously) and already handled origin attributes. Is Fenix rolling it's own?
Fenix handles (some?) site permissions in the front end app. IIUC, GeckoView's original design was to be stateless, with no shared user profiles, but that caused a lot of code duplication so we've backed away from that design.
Assignee | ||
Comment 9•2 years ago
|
||
The AC patch that address this bug just landed on 109, the Fenix patch will land just after the new AC nightly version is available.
Assignee | ||
Comment 10•2 years ago
|
||
The Fenix patch landed on 109, the fix should be available the next Fenix nightly update.
Comment 11•2 years ago
|
||
Is this something we were thinking we'd eventually want to uplift to 108?
Assignee | ||
Comment 12•2 years ago
|
||
I think we could let it ride the trains.
Updated•2 years ago
|
Comment 13•1 year ago
|
||
Comment 14•1 year ago
|
||
Verified as fixed on Nightly 109.0a1 from 12/06 with OnePlus 9 Pro (Android 12). The user's allow/deny selection in Normal Browsing Mode is not carried over to Private Browsing Mode in Notification Permission.
If permission for Notifications was previously granted in Normal Browsing, when switching to Private and tapping the Notifications button, a dialog appears asking for the SITE's permission to send notifications.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 15•1 year ago
|
||
Updated•1 year ago
|
Updated•9 months ago
|
Updated•9 months ago
|
Description
•