Suspicious cross-site cookies access from sqlite.org on news.ycombinator.com
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
People
(Reporter: awalgarg, Unassigned)
References
Details
Attachments
(1 file)
|
107.36 KB,
image/png
|
Details |
2026-02-03_19-18-40_589x363.png
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Steps to reproduce:
- Visit news.ycombinator.com.
- Notice a new "cog" icon in the url bar.
- Click on it.
- It shows that sqlite.org is allowed to access to cross-site cookies.
This does not happen on the machine of other users in IRC.
As far as I understand, for this to happen, sqlite.org would have had to send a request to news.ycombinator.com in some manner at least.
Now I'm assuming that sqlite.org would not have done that. I'm also assuming that sqlite.org was not compromised (I don't use any machine which could have faced any TLS compromise). In fact I rarely visit sqlite.org.
I'm not claiming that this is necessarily an issue with Firefox, but I find it odd and suspicious enough that I figured it'd be better to report it than not.
Actual results:
- It shows that sqlite.org is allowed to access to cross-site cookies.
Expected results:
- It should not show that or anything like that.
|
||
Comment 2•8 days ago
|
||
This is most likely triggered by one of our storage access heuristics which are used to unbreak common flows that rely on unpartitioned cookie access.
This is not a security issue, more likely an overly eager storage access heuristic. The site boundary for cookies is intact, i.e. sqlite.org isn't suddently allowed to access news.ycombinator.com's cookies.
|
|
||
Comment 3•8 days ago
|
||
See https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/State_Partitioning#storage_access_heuristics for more details. I haven't confirmed whether the heuristics are behaving correctly in this case.
Description
•