Closed Bug 1842030 (CVE-2023-4583) Opened 9 months ago Closed 9 months ago

After closing the last Private Window, context is not always reset/cleared...

Categories

(Firefox :: Private Browsing, defect, P2)

Firefox 115
x86_64
Windows 11
defect

Tracking

()

RESOLVED FIXED
117 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- fixed
firefox116 --- wontfix
firefox117 --- fixed

People

(Reporter: thejaka.dev, Assigned: timhuang, NeedInfo)

Details

(Keywords: privacy, sec-low, Whiteboard: [adv-main117+] [adv-esr115.2+])

Attachments

(5 files, 1 obsolete file)

Regression of Bug 1585306

I have previously reported the regression a long time ago, but it hasn't been addressed yet.

See previous STR first.

I have now found new STR:

  1. Open a new Firefox instance. Alternatively, start by closing all private windows and tabs.

  2. Open two successive (empty) tabs, loading Google in each.

  3. Close the entire private window that contains the two tabs.

  4. Immediately after closing in step 3, open a new private window and navigate to Gmail.

Expected Result: The Gmail login page (see original STR screenshot) should be loaded.

Actual Result: The Gmail home page (see original STR screenshot) is loaded.

The original screenshots may be different from the current screens, but should suffice.

As a security and privacy issue, I wonder why this hasn't been addressed sooner.

Thanks for reporting,

I have some questions regarding the STR.

In step 2, should the two tabs be opened inside a private window? Do we need to sign in for these two tabs?

In step 3, how fast do we need to open a new private window? I am wondering if this is a time racing issue.

Last, do you test these with permanent private browsing enabled?

Thanks,

Flags: needinfo?(thejaka.dev)

Sorry, I hadn’t stated it clearly.

Yes, the two tabs have to be opened as private.
The first can be opened by using “New private window” from hamburger menu.
The second tab can be opened using the + for new tab.
Alternatively, I guess you could use bookmarks.

Time seems to be irrelevant. I have waited for more than a minute or so.

No, I haven’t enabled permanent private browsing.

Updated STR:

  1. Open a new Firefox instance. Alternatively, start by closing all private windows and tabs.

  2. Open a private window and open a second private tab as well, loading Google in each tab.

  3. Close the entire private window that contains the two tabs.

  4. After closing in step 3, open a new private window and navigate to Gmail.

Flags: needinfo?(thejaka.dev)

We try to reproduce this issue with the updated steps, but we couldn't successfully reproduce it. Would you be able to provide your troubleshooting information on your about:support page to help us analyze the issue? Thanks.

Flags: needinfo?(thejaka.dev)
Flags: needinfo?(thejaka.dev)

Note: When closing in step 3, close the entire window with the X on the window. not the tabs individually.

Assignee: nobody → tihuang
Status: UNCONFIRMED → NEW
Ever confirmed: true

The CanonicalBrowsingContext::IsPrivateBrowsingActive() function allows
us to know if private browsing is active. We need it to prevent setting
cookies if there is no active private browsing session.

Keywords: privacy, sec-low
Attachment #9344673 - Attachment is obsolete: true
Attachment #9344674 - Attachment is obsolete: true
Attachment #9344673 - Attachment is obsolete: false

The HttpBaseChannel::IsBrowsingContextDiscarded() did always return
false if the loadGroup is not avaiable. But, this may not be correct for
the private channels if the private session has been ended. To fix this,
we make the function to check the global private browsing state
if the loadGroup is not available for private channels.

Depends on D184010

Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P2
Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b26aeacc05b3
Part 1: Adding CanonicalBrowsingContext::IsPrivateBrowsingActive(). r=nika
https://hg.mozilla.org/integration/autoland/rev/bb290a3bdead
Part 2: Check the global private browsing state for HttpBaseChannel::IsBrowsingContextDiscarded() if the loadGroup is not avaiable. r=necko-reviewers,jesup
https://hg.mozilla.org/integration/autoland/rev/62a2a4cf426a
Part 3: Add a test to ensure a beacon response for a private session won't set cookie after private session ends. r=anti-tracking-reviewers,pbz
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch

Unfortunately I was not able either to reproduce this issue by following the STR mentioned in Comment 2.
Thejaka, could you please check if the issue no longer persists in the latest Nightly 117.0a1 version? Thanks

Flags: needinfo?(thejaka.dev)
Flags: qe-verify+

It sounds like we might want to uplift this to ESR115? Please nominate if yes - it grafts cleanly.

Flags: needinfo?(tihuang)
Flags: in-testsuite+

Comment on attachment 9344673 [details]
Bug 1842030 - Part 1: Adding CanonicalBrowsingContext::IsPrivateBrowsingActive(). r?nika!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: The bug affects the users who are using private windows in ESR.
  • User impact if declined: Cookies could leak across different private browsing sessions.
  • Fix Landed on Version: 117
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The fix is small and doesn't change user behaviors.
Flags: needinfo?(tihuang)
Attachment #9344673 - Flags: approval-mozilla-esr115?
Attachment #9344675 - Flags: approval-mozilla-esr115?
Attachment #9345569 - Flags: approval-mozilla-esr115?
QA Whiteboard: [qa-triaged]

I am not able to reproduce the issue on Win11 using FF build 115.0.2 and the steps provided in comment#2, so I can not confirm the fix.
Reporter, can you please verify the fix on build 115.2.0esr (https://archive.mozilla.org/pub/firefox/candidates/115.2.0esr-candidates/build1/win64/). Thank you.

QA Whiteboard: [qa-triaged]
Flags: needinfo?(thejaka.dev)
Whiteboard: [adv-main117+] [adv-esr115.2+]

Comment on attachment 9344673 [details]
Bug 1842030 - Part 1: Adding CanonicalBrowsingContext::IsPrivateBrowsingActive(). r?nika!

Approved for 115.3esr.

Attachment #9344673 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Comment on attachment 9344675 [details]
Bug 1842030 - Part 3: Add a test to ensure a beacon response for a private session won't set cookie after private session ends. r?#anti-tracking

Approved for 115.3esr.

Attachment #9344675 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Comment on attachment 9345569 [details]
Bug 1842030 - Part 2: Check the global private browsing state for HttpBaseChannel::IsBrowsingContextDiscarded() if the loadGroup is not avaiable. r?#necko

Approved for 115.3esr.

Attachment #9345569 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Flags: qe-verify+
Alias: CVE-2023-4583
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: