Closed Bug 221457 Opened 22 years ago Closed 22 years ago

Option to block cookies on redirect.

Categories

(Core :: Networking: Cookies, enhancement)

Product:
Core
Component:
Networking: Cookies
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: thesh_bugs, Assigned: darin.moz)

Details

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20030925 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20030925 I noticed that I have been getting cookies from sites that I didn't visit, even though I block third party cookies and don't allow javascript to set cookies. It appears that some sites temporarily redirect you to another site to get around the blocking of third party cookies. I would like to see an option that would allow you to block all cookies from a site that you are redirected to if you are redirected to a site with different domain - i.e. if server.somewebsite.com redirected me to cookies.someotherwebsite.com to set a cookie, it would be blocked; of course, if someone can think of a better way to stop this from happening, I would like to see it implemented. Reproducible: Always Steps to Reproduce:
Reporter, do you realize that this will cause errors with many sites, like http://mail.yahoo.com ? You'll see a "redirection limit exceeded" error-message.
if you're terribly paranoid, the best way is to whitelist the sites you want cookies from, and then allow session-only cookies from all other sites. (or block them completely). note that this isn't quite possible yet, but will be soon, once the patch to bug 217286 lands. implementing block-on-redirect/block-from-foreign is pretty hard to do, really...
"Reporter, do you realize that this will cause errors with many sites, like http://mail.yahoo.com ? You'll see a "redirection limit exceeded" error-message" You would just have to whitelist mail.yahoo.com and login.yahoo.com, or any other site that works like that. "if you're terribly paranoid, the best way is to whitelist the sites you want cookies from, and then allow session-only cookies from all other sites. (or block them completely)." Here is the thing, I like to reject third party cookies entirely, and I would like to block this method used to get around it as well. If something could be done, it would be nice and I would like to see it done. Of course, if it would really be that difficult to do, even after that patch, then it probably wouldn't be worth implementing.
well, the problem is, our current architecture makes it difficult to implement this feature (even block-from-third-party doesn't work properly)... so realistically, your best bet is to follow my suggestion. we may or may not implement this in the future. the patch i mentioned allows for whitelisting certain sites, and allowing only session cookies from all others (which is a good compromise between site functionality and privacy). right now, you could always whitelist certain sites and completely block others. it's more work for you, but it accomplishes what you want.
this is another one of those "all things to all people" bugs that we are probably never going to fix, because its special-casing redirects, and bloating the backend for a pref that we would absolutely bury (I wouldn't even want UI for it). The net result would be a bunch of sites will break, and the whitelist + current session is almost as good as this, and much easier/more functional. dwitte, WONTFIX?
Might as well...
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.