Closed Bug 1817165 Opened 2 years ago Closed 2 years ago

A cookie issue in Private Browsing on 111.0b1 and 112.0a1 (2023-02-15) (macOS)

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Version:
Firefox 112
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: duckhiem, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Steps to reproduce:

On macOS Ventura 13.1, on Firefox 111.0b1 and 112.0a1 (2023-02-15):

Create an online .html file:

<!DOCTYPE html>
<html>
<head>
<script>
function setCookie(cname,cvalue,exdays) {
const d = new Date();
d.setTime(d.getTime() + (exdays2460601000));
let expires = "expires=" + d.toUTCString();
document.cookie = cname + "=" + cvalue + ";" + expires + "; path=/";
}

function getCookie(cname) {
let name = cname + "=";
let decodedCookie = decodeURIComponent(document.cookie);
let ca = decodedCookie.split(';');
for(let i = 0; i < ca.length; i++) {
let c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length, c.length);
}
}
return "";
}

function checkCookie() {
let user = getCookie("username");
if (user != "") {
alert("Welcome again " + user);
} else {
user = prompt("Please enter your name:","");
if (user != "" && user != null) {
setCookie("username", user, 30);
}
}
}
</script>
</head>

<body onload="checkCookie()"></body>

</html>

Open a New Private Window, load it:

https://duckhiemblogger.blogspot.com/2023/02/function-setcookiecnamecvalueexdays_16.html

Enter a string.

Close the tab, open a new tab in the Private Window, load it again:

https://duckhiemblogger.blogspot.com/2023/02/function-setcookiecnamecvalueexdays_16.html

Actual results:

The second tab can get the cookie entered in the first tab in Private Window.

Expected results:

This https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history states: Private Browsing does not save your browsing information, such as history and cookies, so that, the fact that we need to close the Private Window to clear all set cookies in the private browsing session?

Private browsing doesn't save cookies permanently, and also doesn't save them to disk at any point. That's the only guarantee private browsing offers wrt cookies. If cookies were just forgotten immediately, no websites using cookies would ever work. The fact that they're per-private-browsing-session rather than per-tab or per-window is also already on file and either way is not a security bug.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Component: Untriaged → Private Browsing
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.