Closed Bug 1859191 Opened 1 year ago Closed 1 year ago

Cookie clearing exceptions break cookie isolation, but only https and not http

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 118
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1767271

People

(Reporter: mail, Unassigned)

Details

(Whiteboard: dupeme)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0

Steps to reproduce:

I am using the latest Firefox on arch linux.

Start with a fresh profile.

Switch Enhance Tracking Protection to Strict or Custom with cookie isolation.

Enable "Delete cookies and site data when Firefox is closed" and then press "Manage Exceptions" and add google.com and press "Allow" and then "Save" (this will add entries for https://google.com and also http://google.com.

Enable "Clear History when Firefox Closes" and press "Settings" and make sure Site Settings is not checked because that will wipe out the cookie exception.

Now open google.com and log into your google account.

Then open another tab and go to dropbox.com or reddit.com or some other account that implements logging in through google.com.

Sure enough, dropbox.com or reddit.com will have a popup that shows your google account login. Cookies from google are not isolated from the new tabs.

However, now go back to Manage Exceptions and delete only the https version of the entry and leave the http entry.

Now Firefox works exactly as you expect. You can close Firefox and open it again and you'll still be logged into google. And when you go to dropbox, it has no idea who you are. Only the https entry breaks the cookie isolation.

Actual results:

Having an https entry in cookie clearing exceptions breaks cookie isolation, but http entries do not.

Expected results:

Having an https entry in cookie clearing exceptions should not affect cookie isolation.

The Bugbug bot thinks this bug should belong to the 'Core::Networking: Cookies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core
Component: Networking: Cookies → Privacy: Anti-Tracking
Whiteboard: dupeme

I'll look for the duplicate bug.

Flags: needinfo?(pbz)

Found it!

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1767271
Flags: needinfo?(pbz)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.