Clear on shutdown does not clear cookies set for IPv6 hosts
Categories
(Toolkit :: Data Sanitization, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox125 | --- | fixed |
People
(Reporter: pbz, Assigned: leander.schwarz, Mentored)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: priv-triaged, Whiteboard: [lang=c++] [lang=js])
Attachments
(1 file)
Cookies added for IPv6 hosts don't get cleared on shutdown even if sanitize on shutdown is enabled.
I suspect the issue is that nsIPrincipal
serializes IPv6 hosts differently than the cookie service. For a given URI, e.g. https://[2606:4700:4700::1111]/
the cookie service will store the host as [2606:4700:4700::1111]
whereas nsIPrincipal#host
returns 2606:4700:4700::1111
. This mismatch leads to cookies from IPv6 principals not being cleared here. We pass in a host without brackets where the cookie service expects /keys by hosts with brackets.
Here is the stack trace for a sanitize-on-shutdown call clearing cookies:
deleteByHost (resource://gre/modules/ClearDataService.sys.mjs#125)
deleteByHost (resource://gre/modules/ClearDataService.sys.mjs#124)
deleteByPrincipal (resource://gre/modules/ClearDataService.sys.mjs#137)
deleteDataFromPrincipal (resource://gre/modules/ClearDataService.sys.mjs#1734)
promises (resource://gre/modules/ClearDataService.sys.mjs#1835)
promises (resource://gre/modules/ClearDataService.sys.mjs#1834)
_deleteInternal (resource://gre/modules/ClearDataService.sys.mjs#1832)
deleteDataFromPrincipal (resource://gre/modules/ClearDataService.sys.mjs#1733)
sanitizeSessionPrincipal (resource:///modules/Sanitizer.sys.mjs#1043)
sanitizeSessionPrincipal (resource:///modules/Sanitizer.sys.mjs#1041)
maybeSanitizeSessionPrincipals (resource:///modules/Sanitizer.sys.mjs#959)
maybeSanitizeSessionPrincipals (resource:///modules/Sanitizer.sys.mjs#950)
clear (resource:///modules/Sanitizer.sys.mjs#389)
sanitizeInternal (resource:///modules/Sanitizer.sys.mjs#785)
sanitize (resource:///modules/Sanitizer.sys.mjs#286)
sanitizeOnShutdown (resource:///modules/Sanitizer.sys.mjs#857)
runSanitizeOnShutdown (resource:///modules/Sanitizer.sys.mjs#359)
Reporter | ||
Comment 1•1 year ago
•
|
||
I've verified that this is the root cause by running the following calls in the browser console:
// Initially, there is an IPV6 cookie
Services.cookies.cookies
Array [ XPCWrappedNative_NoHelper ]
Services.cookies.cookies.map(c => c.rawHost)
Array [ "[2606:4700:4700::1111]" ]
// Calling remove with a host without brackets
Services.cookies.removeCookiesFromExactHost(
"2606:4700:4700::1111",
JSON.stringify({})
);
undefined
// The cookie is still there
Services.cookies.cookies.map(c => c.rawHost)
Array [ "[2606:4700:4700::1111]" ]
// Calling remove with a host with brackets
Services.cookies.removeCookiesFromExactHost(
"[2606:4700:4700::1111]",
JSON.stringify({})
);
undefined
// The cookie has been removed.
Services.cookies.cookies.map(c => c.rawHost)
Array []
Reporter | ||
Comment 2•1 year ago
|
||
IPV6 cookies don't seem that common so I'm setting this to an S3.
Reporter | ||
Updated•11 months ago
|
Assignee | ||
Updated•10 months ago
|
Assignee | ||
Comment 3•10 months ago
|
||
Comment 5•9 months ago
|
||
bugherder |
Description
•