[Private Browsing] Cookies alike may still persist after closing all tabs
Categories
(Fenix :: Privacy, defect, P3)
Tracking
(Not tracked)
People
(Reporter: masterquestionable, Unassigned)
Details
Attachments
(2 files, 1 obsolete file)
Persistent data like cookies may at times persist after closing all tabs:
By rapidly reopen the closed tab (or any tab?) (by pasting the URI and navigate, or using "Undo").
.
Looks like some race condition was occurring.
Unsure if this applies to desktop Firefox too.
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
The severity field is not set for this bug.
:amejia, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Comment 2•2 years ago
|
||
Hi :masterquestionable!
Thanks for reporting this issue.
Would you mind adding more information about the steps to reproduce, for example an specific site where did you see the issue, and how you verified that cookies were persisted after closing a private tab.
Thanks in advance!
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 3•2 years ago
|
||
Thanks for your interests.
This appears to occur for any site.
E.g. the login status on GitHub, Bugzilla, etc. .
=== More info ===
It's believed (and likely intended) that closing all tabs in Private Browsing shall erase the persistent data of session.
But doing so (either via "Close all tabs" or manually 1-by-1) during my use may not always result in so.
In particular combined with the action described in Comment 0. (however not quickly reopening tabs may also trigger the problem)
My speculation is that the erasing operation may have occurred at the inappropriate moment that happened to clash with certain race condition.
A more convenient site for the testing:
https://browserleaks.com/ip
.
Which may directly report the HTTP request headers and able to set some cookies via:
https://browserleaks.com/settings
|
|
Reporter | |
Comment 4•1 year ago
|
||
This is probably related with the size of saved data (local cache).
When large, more likely to occur.
(Please delete my Comment 7, I accidentally posted that text as a comment while trying to edit one of my attachments. Sorry about that.)
|
||
Comment 10•1 year ago
|
||
I have just rediscovered this bug independently (Firefox Beta 121.0b2). I've included my detailed steps to reproduce below in the hope that it helps make progress on this issue.
Can you please increase the severity of this bug? I think cookies persisting between private browsing sessions is very serious.
Steps to reproduce:
- Open Firefox for Android
- Close any existing private tabs
- Open a new private tab
- Type https://tom93.gitlab.io/cookie-test/ in the address bar, and copy that URL for later
- Go to that page. It should say:
No cookies
Setting testCookie to [random number]
Perform the following steps without pausing:
- Click the Tabs icon "[1]"
- Close the tab
- Focus on the address bar
- Perform a web search for something (e.g. "x"), but see Note A below
- Wait for the search results page to load
- Focus the URL bar (see Note B below)
- Paste the cookie test URL
- Go to that page
Note A: The address bar will try to autocomplete the search term to a website name. Make sure to perform a web search rather than visiting the suggested website.
Note B: You may be unable to focus on the URL bar due to a popup saying "Firefox just refused cookies for you". In that case, first close the popup.
Actual results:
After step 13, the first line says "Cookies: testCookie=[random number]" (with the same number shown in the "Setting testCookie" message earlier), indicating that cookies were not cleared.
(You may need to repeat steps 6-13 a couple of times until this happens, for me it happens fairly reliably except on the first time.)
Expected results:
After step 13, the first line should say "No cookies", indicating that cookies have been cleared after step 7 (when all private tabs were closed).
Additional notes:
I have sometimes been able to have cookies persisted even after I close and reopen the Firefox app, however it is not as easy to reproduce. My best strategy is as follows:
i. Repeat steps 6-13 until seeing "Cookies: testCookie=[random number]"
ii. Open Android's recent apps (using the square button on Android 9)
iii. Close Firefox by swiping it
iv. Open Firefox (it should open in private mode)
v. Paste the cookie test URL and go to that page
Environment:
Firefox Beta 121.0b2 (https://github.com/mozilla-mobile/firefox-android/releases/tag/fenix-v121.0b2)
Android-x86 9.0-r2 virtual machine (https://sourceforge.net/projects/android-x86/files/Release%209.0/)
I tried to attach the text from about:support and the cookie test HTML page.
|
|
Reporter | |
Comment 11•1 year ago
|
||
Why editing is important
https://bugzilla.mozilla.org/show_bug.cgi?id=1648956
.
The #2. (likely just #n...)
|
|
Reporter | |
Comment 12•1 year ago
|
||
Just attempted if this ridiculous thing would even work...
data:text/html,%3Cscript>%0A%09document.write(%20document.cookie%20?%20document.cookie%20:%20%22No%20cookie%22%20);%0A%09document.cookie%20=%20(%20%22_=%22%20+%20(%20new%20Date()%20).toISOString()%20+%20%22;%20max-age=86400%22%20);%0A%3C/script>
Equivalent:
[[
<script>
document.write( document.cookie ? document.cookie : "No cookie" );
document.cookie = ( "_=" + ( new Date() ).toISOString() + "; max-age=86400" );
</script>
]]
Should work on a local/remote server though.
See also:
https://en.wikipedia.org/wiki/Data_URI_scheme
https://stackoverflow.com/questions/73165782
|
|
Reporter | |
Comment 13•1 year ago
|
||
= One-liner HTTP server =
Python 3 "http.server" module:
[[
python -m "http.server" 8080 -b "127.0.0.1" -d "/sdcard/.cookied/"
]]
; place the cookie demo as a file named "index.html" under the directory:
Which shall be then accessible from [ http://127.0.0.1:8080/ ].
=== See also ===
https://docs.python.org/3/using/cmdline.html#cmdoption-m
https://docs.python.org/3/library/http.server.html#http-server-cli
https://www.devdungeon.com/content/one-line-http-servers#python3
|
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 14•10 months ago
|
||
A reliably reproducible pattern:
|1| Address Bar search with any Search Engine. (e.g. query "x")
|2| (whether the navigation completed) Re-navigate to the "cookied". (in whatever manner)
|3| "Close all tabs" (in Tab Switcher menu).
|4| "Undo".
"Close all tabs" & "Undo" twice resolves it.
|
|
Reporter | |
Comment 15•10 months ago
|
||
I confirmed this reproduction chain:
|*| Doesn't even require network access to attempt. (navigation status doesn't affect)
|*| Reproducible with any amount of opened tabs.
Could someone verify and give feedback? Thanks.
|
|
Reporter | |
Comment 16•10 months ago
|
||
Using below instead of "cookied" should also work:
https://bugzilla.mozilla.org/attachment.cgi?id=9365223
Description
•