After closing the last Private Window, context is not always reset/cleared...
Categories
(Firefox :: Private Browsing, defect, P2)
Tracking
()
People
(Reporter: thejaka.dev, Assigned: timhuang, NeedInfo)
Details
(Keywords: privacy, reporter-external, sec-low, Whiteboard: [adv-main117+] [adv-esr115.2+])
Attachments
(5 files, 1 obsolete file)
31.07 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
354 bytes,
text/plain
|
Details |
Regression of Bug 1585306
I have previously reported the regression a long time ago, but it hasn't been addressed yet.
See previous STR first.
I have now found new STR:
-
Open a new Firefox instance. Alternatively, start by closing all private windows and tabs.
-
Open two successive (empty) tabs, loading Google in each.
-
Close the entire private window that contains the two tabs.
-
Immediately after closing in step 3, open a new private window and navigate to Gmail.
Expected Result: The Gmail login page (see original STR screenshot) should be loaded.
Actual Result: The Gmail home page (see original STR screenshot) is loaded.
The original screenshots may be different from the current screens, but should suffice.
As a security and privacy issue, I wonder why this hasn't been addressed sooner.
Assignee | ||
Comment 1•1 year ago
|
||
Thanks for reporting,
I have some questions regarding the STR.
In step 2, should the two tabs be opened inside a private window? Do we need to sign in for these two tabs?
In step 3, how fast do we need to open a new private window? I am wondering if this is a time racing issue.
Last, do you test these with permanent private browsing enabled?
Thanks,
Reporter | ||
Comment 2•1 year ago
|
||
Sorry, I hadn’t stated it clearly.
Yes, the two tabs have to be opened as private.
The first can be opened by using “New private window” from hamburger menu.
The second tab can be opened using the + for new tab.
Alternatively, I guess you could use bookmarks.
Time seems to be irrelevant. I have waited for more than a minute or so.
No, I haven’t enabled permanent private browsing.
Updated STR:
-
Open a new Firefox instance. Alternatively, start by closing all private windows and tabs.
-
Open a private window and open a second private tab as well, loading Google in each tab.
-
Close the entire private window that contains the two tabs.
-
After closing in step 3, open a new private window and navigate to Gmail.
Assignee | ||
Comment 3•1 year ago
|
||
We try to reproduce this issue with the updated steps, but we couldn't successfully reproduce it. Would you be able to provide your troubleshooting information on your about:support
page to help us analyze the issue? Thanks.
Reporter | ||
Comment 4•1 year ago
|
||
Reporter | ||
Updated•1 year ago
|
Reporter | ||
Comment 5•1 year ago
|
||
Note: When closing in step 3, close the entire window with the X on the window. not the tabs individually.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 6•1 year ago
|
||
The CanonicalBrowsingContext::IsPrivateBrowsingActive() function allows
us to know if private browsing is active. We need it to prevent setting
cookies if there is no active private browsing session.
Assignee | ||
Comment 7•1 year ago
|
||
Depends on D184010
Assignee | ||
Comment 8•1 year ago
|
||
Depends on D184011
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Comment 9•1 year ago
|
||
The HttpBaseChannel::IsBrowsingContextDiscarded() did always return
false if the loadGroup is not avaiable. But, this may not be correct for
the private channels if the private session has been ended. To fix this,
we make the function to check the global private browsing state
if the loadGroup is not available for private channels.
Depends on D184010
Assignee | ||
Updated•1 year ago
|
Comment 10•1 year ago
|
||
Comment 11•1 year ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b26aeacc05b3
https://hg.mozilla.org/mozilla-central/rev/bb290a3bdead
https://hg.mozilla.org/mozilla-central/rev/62a2a4cf426a
Comment 12•1 year ago
|
||
Unfortunately I was not able either to reproduce this issue by following the STR mentioned in Comment 2.
Thejaka, could you please check if the issue no longer persists in the latest Nightly 117.0a1 version? Thanks
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 13•1 year ago
|
||
It sounds like we might want to uplift this to ESR115? Please nominate if yes - it grafts cleanly.
Assignee | ||
Comment 14•1 year ago
|
||
Comment on attachment 9344673 [details]
Bug 1842030 - Part 1: Adding CanonicalBrowsingContext::IsPrivateBrowsingActive(). r?nika!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: The bug affects the users who are using private windows in ESR.
- User impact if declined: Cookies could leak across different private browsing sessions.
- Fix Landed on Version: 117
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The fix is small and doesn't change user behaviors.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Comment 15•1 year ago
|
||
I am not able to reproduce the issue on Win11 using FF build 115.0.2 and the steps provided in comment#2, so I can not confirm the fix.
Reporter, can you please verify the fix on build 115.2.0esr (https://archive.mozilla.org/pub/firefox/candidates/115.2.0esr-candidates/build1/win64/). Thank you.
Comment 16•1 year ago
|
||
Updated•1 year ago
|
Comment 17•1 year ago
|
||
Comment on attachment 9344673 [details]
Bug 1842030 - Part 1: Adding CanonicalBrowsingContext::IsPrivateBrowsingActive(). r?nika!
Approved for 115.3esr.
Comment 18•1 year ago
|
||
Comment on attachment 9344675 [details]
Bug 1842030 - Part 3: Add a test to ensure a beacon response for a private session won't set cookie after private session ends. r?#anti-tracking
Approved for 115.3esr.
Comment 19•1 year ago
|
||
Comment on attachment 9345569 [details]
Bug 1842030 - Part 2: Check the global private browsing state for HttpBaseChannel::IsBrowsingContextDiscarded() if the loadGroup is not avaiable. r?#necko
Approved for 115.3esr.
Comment 20•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•11 months ago
|
Comment 21•6 months ago
|
||
Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external
keyword to security bugs found by non-employees for accounting reasons
Description
•