Open Bug 1856645 Opened 2 years ago Updated 5 months ago

Cookies set in normal window show up in cookies in devtools within Private Mode

Categories

(DevTools :: General, defect, P2)

Product:
DevTools
Component:
General
Version:
Firefox 118
Type:
defect

Tracking

(Not tracked)

People

(Reporter: kontakt, Unassigned)

References

Details

Attachments

(1 file)

Screencast showcasing the issue
479.79 KB, video/webm
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0

Steps to reproduce:

Open two windows - one regular, one in private mode. Go to mozilla.org in both of them. Open Devtools in both of them, navigate to Storage. In regular mode, run document.cookie="leaks=true". Navigate to Private Mode, open the mozilla.org tree in cookies view, see that this cookie is visible there, as well.

Actual results:

The "leaks=true" cookie is visible in the devtools in the Private Mode window

Expected results:

It should be separate, cookies set in regular windows should not leak to private windows

Summary: Editing cookies in devtools while in private mode leaks them to regular mode → Cookies set in normal window show up in cookies in devtools within Private Mode

This also happens across Firefox Containers

The Bugbug bot thinks this bug should belong to the 'DevTools::General' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → General
Product: Firefox → DevTools

The exact STRs seem to be:

  • open a tab in a regular Firefox window
  • open the same tab in a Private Browsing Firefox window
  • open the storage inspector in the Private Browsing Firefox window
  • run document.cookie="leaks=true" in the regular Firefox window

You will see the cookie appear in the Storage inspector of the Private Browsing Firefox window. However the cookie is not actually set. If you close/reopen devtools, the leaks cookie is gone. And using document.cookie to read cookies will also not show this cookie.

So this is most likely only a UI bug where we incorrectly show the cookie in the UI and not an actual leak of the cookie between regular and private windows.

Severity: -- → S3
Priority: -- → P2
See Also: → 1755220
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1891929
Duplicate of this bug: 1919470

I suspect it's an issue with how we listen for cookie changes. I see that devtool subscribes to both normal and private browsing cookie changes here: https://searchfox.org/mozilla-central/rev/3966e5534ddf922b186af4777051d579fd052bad/devtools/server/actors/resources/storage/cookies.js#528
It then calls onCookieChanged here: https://searchfox.org/mozilla-central/rev/3966e5534ddf922b186af4777051d579fd052bad/devtools/server/actors/resources/storage/cookies.js#201
but doesn't do any filtering for normal or private browsing as far as I can see? Really it should look at the cookie's OriginAttributes and compare them to the OriginAttributes of the principal of the content window the devtools instance is attached to.

Duplicate of this bug: 1934955
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: