Extension in Firefox Private Mode allows for setting cookies
Categories
(WebExtensions :: Developer Outreach, defect)
Tracking
(Not tracked)
People
(Reporter: mustaqim.malim, Unassigned)
Details
Attachments
(1 file)
2.05 MB,
video/webm
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0
Steps to reproduce:
Hello, I've noticed that I have cookies saved for sites I didn't visited directly. When I hover over an image in Private Mode with an extension like "Imagus mod", a cookie gets saved from the image's site in Private Mode.
For instance my mouse hovered over an abc7chicago.com thumbnail on reddit and a cookie got set; I've never directly visited this site; only hovered over a thumbnail in reddit.
Someone said it's because Firefox doesn't support "incognito": "split" in manifest.json and uses "incognito": "spanning" as default: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/incognito
But I don't know if it's this. Thank you. Please see the attached video.
(I tried recording what's happened but the cursor isn't showing, please let me know if you can't understand what's happening): After closing the Settings tab, a cookie from abc7chicago.com in Private Mode shows up.
Actual results:
Cookie in Private Mode gets saved. And doesn't get removed if the
Expected results:
There should be no persistent cookies set from visiting sites in Private Mode.
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Private Browsing' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•1 year ago
|
||
Hi Rob,
Is this a known issue from extension side? Is there anything we can do to fix this issue? Thanks.
Comment 3•1 year ago
|
||
The extension triggered a request in a non-private context and caused the cookies for that to be saved.
The suggested incognito:split doesn't solve the issue, because that wouldn't work for e.g. container tabs.
This is a bug with the extension. It should be triggering the request from the content script if unsure about how to fix the request context. We intend to expand the API to support fetching from the right context, in bug 1670278.
Comment 4•1 year ago
|
||
Hi Rob,
Can we close this bug for now, given that this is a bug from the extension side?
Comment 5•1 year ago
|
||
I have forwarded this report to the extension author, at https://github.com/TheFantasticWarrior/chrome-extension-imagus/issues/50
Description
•