Closed Bug 1788629 Opened 3 years ago Closed 3 years ago

Notification permissions are retained across private browsing windows if you don't close all of Firefox

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1530394

People

(Reporter: emz, Unassigned)

Details

(Keywords: sec-other, Whiteboard: [keep hidden while 1784741 is])

T2-2 : In Firefox on macOS, the selection by the user to allow notification permissions is permanently retained in Private Browsing Mode. This vulnerability risks allowing the display of notifications that should not be displayed based on different sessions (e.g., past Private Browsing Mode sessions that should have been discarded or sessions in a different browsing mode).

The bug does not seem to be macOS specific. I can reproduce it on Ubuntu too.

This bug is from the report in Bug 1784741.

Thank you for reviewing our report.

We operated Firefox in the following sequence during our investigation.
This procedure includes the step (step 6 ) of quitting the Firefox browser, including the standard browsing mode windows, in the middle of the operation.

Steps in our analysis

  1. launch the Firefox browser
  2. open a website requesting notification permission in Private Browsing mode (e.g., https://permission.site)
  3. the website requests notification permission
  4. we grant the requested notification permission
  5. close Private Browsing mode window
  6. Quit Firefox browser (also quits normal browsing mode)
  7. launch the Firefox browser
  8. open the website requesting notification permission in Private Browsing mode (the same site as in 2) 9.
  9. the website requests notification permission
  10. we analyze the permission status at this time

With this procedure, we concluded that the permission state is persistent only in Private Browsing mode of Firefox on Mac.

However, when step 6 of the above procedure is omitted, i.e., the close/open operation of the Private Browsing window is performed without quitting the Firefox browser, we found that the notification permissions are persistent in Private Browsing mode on Windows and Linux (Ubuntu) as well.

We think this implementation should be fixed for the privacy .

Firefox has only a single private session that lasts as long as the normal Firefox session lasts. If you close a private window and then open a new private window you are still in the same private browsing "session". This works differently from other browsers, and differently than users expect.

We think this implementation should be fixed for the privacy

Many people agree. See bug 1530394

Status: NEW → RESOLVED
Closed: 3 years ago
Component: Site Permissions → Private Browsing
Keywords: sec-other
Resolution: --- → DUPLICATE
Summary: Notification permissions are retained across private browsing sessions → Notification permissions are retained across private browsing windows if you don't close all of Firefox
Whiteboard: [keep hidden while 1784741 is]

I agree that the implementation of Bug 1530394 is inappropriate.
On the Mac, the Firefox application process is not terminated when the user exits the application via the "Close Window" button.
This means that the normal browsing session is maintained even after the user clicks the "Close Window" button.
Therefore, compared to other operating systems, the normal browsing session is more likely to be maintained on the Mac, making Bug 1530394 a greater threat.

Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.