Closed Bug 1833842 Opened 1 year ago Closed 1 year ago

Extension in Firefox Private Mode allows for setting cookies

Categories

(WebExtensions :: Developer Outreach, defect)

Product:
WebExtensions
Component:
Developer Outreach
Version:
Firefox 114
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED MOVED

People

(Reporter: mustaqim.malim, Unassigned)

Details

Attachments

(1 file)

Screencast from 2023-05-18 13-29-33.webm
2.05 MB, video/webm
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

Hello, I've noticed that I have cookies saved for sites I didn't visited directly. When I hover over an image in Private Mode with an extension like "Imagus mod", a cookie gets saved from the image's site in Private Mode.

For instance my mouse hovered over an abc7chicago.com thumbnail on reddit and a cookie got set; I've never directly visited this site; only hovered over a thumbnail in reddit.

Someone said it's because Firefox doesn't support "incognito": "split" in manifest.json and uses "incognito": "spanning" as default: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/incognito

But I don't know if it's this. Thank you. Please see the attached video.

(I tried recording what's happened but the cursor isn't showing, please let me know if you can't understand what's happening): After closing the Settings tab, a cookie from abc7chicago.com in Private Mode shows up.

Actual results:

Cookie in Private Mode gets saved. And doesn't get removed if the

Expected results:

There should be no persistent cookies set from visiting sites in Private Mode.

The Bugbug bot thinks this bug should belong to the 'Firefox::Private Browsing' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Private Browsing

Hi Rob,

Is this a known issue from extension side? Is there anything we can do to fix this issue? Thanks.

Flags: needinfo?(rob)

The extension triggered a request in a non-private context and caused the cookies for that to be saved.

The suggested incognito:split doesn't solve the issue, because that wouldn't work for e.g. container tabs.

This is a bug with the extension. It should be triggering the request from the content script if unsure about how to fix the request context. We intend to expand the API to support fetching from the right context, in bug 1670278.

Flags: needinfo?(rob)

Hi Rob,

Can we close this bug for now, given that this is a bug from the extension side?

Flags: needinfo?(rob)

I have forwarded this report to the extension author, at https://github.com/TheFantasticWarrior/chrome-extension-imagus/issues/50

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Component: Private Browsing → Developer Outreach
Flags: needinfo?(rob)
Product: Firefox → WebExtensions
Resolution: --- → MOVED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: