Closed Bug 1860033 Opened 8 months ago Closed 4 months ago

Clear on shutdown does not clear cookies set for IPv6 hosts

Categories

(Toolkit :: Data Sanitization, defect, P2)

defect

Tracking

()

RESOLVED FIXED
125 Branch
Tracking Status
firefox125 --- fixed

People

(Reporter: pbz, Assigned: lschwarz, Mentored)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: priv-triaged, Whiteboard: [lang=c++] [lang=js])

Attachments

(1 file)

Cookies added for IPv6 hosts don't get cleared on shutdown even if sanitize on shutdown is enabled.

I suspect the issue is that nsIPrincipal serializes IPv6 hosts differently than the cookie service. For a given URI, e.g. https://[2606:4700:4700::1111]/ the cookie service will store the host as [2606:4700:4700::1111] whereas nsIPrincipal#host returns 2606:4700:4700::1111. This mismatch leads to cookies from IPv6 principals not being cleared here. We pass in a host without brackets where the cookie service expects /keys by hosts with brackets.

Here is the stack trace for a sanitize-on-shutdown call clearing cookies:

deleteByHost (resource://gre/modules/ClearDataService.sys.mjs#125)
deleteByHost (resource://gre/modules/ClearDataService.sys.mjs#124)
deleteByPrincipal (resource://gre/modules/ClearDataService.sys.mjs#137)
deleteDataFromPrincipal (resource://gre/modules/ClearDataService.sys.mjs#1734)
promises (resource://gre/modules/ClearDataService.sys.mjs#1835)
promises (resource://gre/modules/ClearDataService.sys.mjs#1834)
_deleteInternal (resource://gre/modules/ClearDataService.sys.mjs#1832)
deleteDataFromPrincipal (resource://gre/modules/ClearDataService.sys.mjs#1733)
sanitizeSessionPrincipal (resource:///modules/Sanitizer.sys.mjs#1043)
sanitizeSessionPrincipal (resource:///modules/Sanitizer.sys.mjs#1041)
maybeSanitizeSessionPrincipals (resource:///modules/Sanitizer.sys.mjs#959)
maybeSanitizeSessionPrincipals (resource:///modules/Sanitizer.sys.mjs#950)
clear (resource:///modules/Sanitizer.sys.mjs#389)
sanitizeInternal (resource:///modules/Sanitizer.sys.mjs#785)
sanitize (resource:///modules/Sanitizer.sys.mjs#286)
sanitizeOnShutdown (resource:///modules/Sanitizer.sys.mjs#857)
runSanitizeOnShutdown (resource:///modules/Sanitizer.sys.mjs#359)

I've verified that this is the root cause by running the following calls in the browser console:

// Initially, there is an IPV6 cookie
Services.cookies.cookies
Array [ XPCWrappedNative_NoHelper ]

Services.cookies.cookies.map(c => c.rawHost)
Array [ "[2606:4700:4700::1111]" ]

// Calling remove with a host without brackets
Services.cookies.removeCookiesFromExactHost(
        "2606:4700:4700::1111",
        JSON.stringify({})
      );
undefined
// The cookie is still there
Services.cookies.cookies.map(c => c.rawHost)
Array [ "[2606:4700:4700::1111]" ]

// Calling remove with a host with brackets
Services.cookies.removeCookiesFromExactHost(
        "[2606:4700:4700::1111]",
        JSON.stringify({})
      );
undefined
// The cookie has been removed.
Services.cookies.cookies.map(c => c.rawHost)
Array []

IPV6 cookies don't seem that common so I'm setting this to an S3.

Blocks: 1102808
Severity: S2 → S3
Mentor: pbz
Whiteboard: [lang=c++] [lang=js]
Keywords: priv-triaged
Assignee: nobody → lschwarz
See Also: → 1193416
Depends on: 1882259
Pushed by bvandersloot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0027da61966d
removeCookiesFromExactHost by serialized baseDomain for IPv6 cookies. r=pbz,cookie-reviewers,valentin
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: