Open Bug 1800804 Opened 3 years ago Updated 1 year ago

Clear-Site-Data header with "cookies" doesn't handle domains correctly

Categories

(Toolkit :: Data Sanitization, defect, P3)

Product:
Toolkit
Component:
Data Sanitization
Version:
Firefox 106
Type:
defect

Tracking

()

People

(Reporter: mozilla, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0

Steps to reproduce:

  1. Go to https://www.fastmail.com . Log in to an account if you have one.
  2. Either way, using an extension like Cookie Quick Manager (https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/) observe that several cookies were set in .fastmail.com, and if you logged in, api.fastmail.com
  3. Go to https://app.fastmail.com/clear-data/
  4. Open web developer tools Network tab
  5. Click the "Clear all site data" button
  6. Observe that the request returned the header:

clear-site-data: "cache", "cookies", "storage", "executionContexts", "*"

  1. Refresh the list of cookies in the Cookie Quick Manager tab
  2. Observe that none of the fastmail.com cookies were removed

Actual results:

It appears a "Clear-Site-Data" header with a "cookies" option only clears cookies for the exact matching origin, not even sub-domains, rather than all cookies for the registered domain and all sub-domains of the registered domain as specified by the spec.

Expected results:

As per the spec, all cookies for the "registered domain" and all sub-domains should be cleared.

https://w3c.github.io/webappsec-clear-site-data/#abstract-opdef-clear-cookies-for-origin

  1. Let registered be the registered domain of origin’s host.
  2. Let cookie list be the set of cookies from the cookie store whose domain attribute is a domain-match with registered.
  3. For each cookie in cookie list:
    1. Remove cookie from the cookie store.

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core

Hi Paul,

Could you take a look at this?

Thanks.

Flags: needinfo?(pbz)

We do indeed clear cookies and storage by exact origin, by principal here: https://searchfox.org/mozilla-central/rev/aa329cf7506ddd966542e642ec00223fd7461599/toolkit/components/clearsitedata/ClearSiteData.cpp#215
We even take into account the partitionKey that means sites can't clear data across dFPI partitions.

The CookieCleaner is called here, note how it clears for exact host + OriginAttributes: https://searchfox.org/mozilla-central/rev/aa329cf7506ddd966542e642ec00223fd7461599/toolkit/components/cleardata/ClearDataService.jsm#123,135

That means for "cookies" we seem to deviate from the spec and we should clear by base domain (+OA?) instead. Looking at the spec, the rest of the storage (including cache) should be cleared by origin.

Status: UNCONFIRMED → NEW
Component: Networking → Data Sanitization
Ever confirmed: true
Flags: needinfo?(pbz)
Product: Core → Toolkit
Severity: -- → S3
Priority: -- → P3
See Also: → 1798877
You need to log in before you can comment on or make changes to this bug.