Open Bug 1884683 Opened 8 months ago Updated 3 months ago

Cookie deletion exception dialog: Origins input without protocol should only create https exceptions (no http ones)

Categories

(Toolkit :: Data Sanitization, defect, P3)

Product:
Toolkit
Component:
Data Sanitization
Version:
Firefox 123
Platform:
Desktop
All
Type:
defect

Tracking

()

People

(Reporter: amanita+BUGZILLA, Unassigned)

References

Details

Attachments

(1 file)

Graphic showing the scenario
44.66 KB, image/jpeg
Details

Steps to reproduce:

I delete all cookies by default and add the sites I need as exceptions, as is the best way to do.

Actual results:

I always skip "https://" in links as it is redundant and I set Firefox to always use HTTPS by default.

When I enter a URL without the prefix, it is added as cookie exception for both http and https, which is not wanted.

Expected results:

A website URL could be spoofed when not using http, for example through a DNS redirect, commonly seen with Captive Portals.

(Apart from using HTTPS "only" by default) Firefox should never save the http:// address in the cookie exeception, but only the "https://" site, if no such prefix is added.

This mitigates a spoofed website catching cookies that can circumvent 2FA and more.

I think it would be best to entirely remove the "http://" address from being added automatically, as users can still do it manually by entering "http://url.com" instead of "url.com".

The Bugbug bot thinks this bug should belong to the 'Core::Networking: DNS' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking: DNS
Product: Firefox → Core
Component: Networking: DNS → Settings UI
Product: Core → Firefox
Component: Settings UI → Data Sanitization
OS: Unspecified → All
Product: Firefox → Toolkit
Hardware: Unspecified → Desktop
Summary: Only save https:// cookies in exception field if no prefix is added → Cookie deletion exception dialog: Origins input without protocol should only create https exceptions (no http ones)
See Also: → 1767271
Severity: -- → S3
Priority: -- → P3

Hello! I have tried to reproduce the issue with firefox 126.0a1(2024-04-08) on Ubuntu 22.04, unfortunately I wasn't able to reproduce the issue on my end.
Could you please answer the following questions in order to further investigate this issue:

  1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
  2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
  3. Do you have any addons installed? If yes could you please list them?
Flags: needinfo?(amanita+BUGZILLA)

I dont think that you cannot reproduce this:

  1. Enable "delete all cookies and site data when NAME is closed"
  2. Add an exception, input "test.de"
  3. Firefox automatically adds "http://test.de" and "https://test.de" instead?

I dont see how this should be related to anything of the things you mentioned above, I know this as the default behavior since years.

The issue is, that spoofed http sites could steal cookies, the wanted solution is to only autocomplete "https://test.de" if "test.de" is input. People can still add "http://test.de" if they really really want to.

I can reproduce this on Librewolf 124.0.1 and Nightly 126.0a1 (2024-04-09) (64-bit) without any settings or addons.

Flags: needinfo?(amanita+BUGZILLA)
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: