Last Comment Bug 290456 - Clear plugin data in "clear private data"/"forget about this site"
: Clear plugin data in "clear private data"/"forget about this site"
Status: RESOLVED FIXED
[sg:want]
: privacy
Product: Firefox
Classification: Client Software
Component: Private Browsing (show other bugs)
: Trunk
: All All
: -- enhancement with 16 votes (vote)
: ---
Assigned To: dwitte@gmail.com
:
Mentors:
http://www.internetweek.com/showArtic...
: 298825 383320 399724 400934 414478 471331 614225 636381 665384 (view as bug list)
Depends on: 508167 618461
Blocks: 508068 565561
  Show dependency treegraph
 
Reported: 2005-04-15 06:08 PDT by Philip Chee
Modified: 2011-06-19 14:42 PDT (History)
43 users (show)
mconnor: blocking‑firefox3-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments

Description Philip Chee 2005-04-15 06:08:54 PDT
User-Agent:       Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8a6) Gecko/20050111 MultiZilla/1.8.0.0a Mnenhy/0.7.2.0
Build Identifier: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8a6) Gecko/20050111 MultiZilla/1.8.0.0a Mnenhy/0.7.2.0

Flash "cookies" or "persistent identification elements" aka PIE are actually
Flash MX shared local objects.  To quote the article:

"When a consumer goes to a PIE-enabled website, the visitor's browser is tagged
with a Flash object that contains a unique identification similar to the text
found in a traditional cookie. In this way, PIE acts as a cookie backup, and can
also restore the original cookie when the consumer revisits the site."

Please consider blocking these kinds of "cookies" too.

I'm sure that there must be a duplicate bugzilla bug in here somewhere but I
can't find it.

Reproducible: Always

Steps to Reproduce:
Comment 1 Philip Chee 2005-04-15 06:29:44 PDT
Update: there is an extension for Firefox that does this:
<http://www.yardley.ca/objection/>

"What is 'objection'?

objection is an extension for Firefox that adds deletion of Local Shared Objects
to the Option > Privacy panel."

It would be nice for this feature to be integrated into firefox.
Comment 2 Christian :Biesinger (don't email me, ping me on IRC) 2005-04-15 06:41:14 PDT
that page made it clear that this is handled entirely in the plugin. thus, it is
completely out of the scope of the networking library. -> ffox frontend

(Hm... comment 0 says you are using mozilla, not firefox?)
Comment 3 Philip Chee 2005-04-15 07:13:10 PDT
 Christian Biesinger (:bi) wrote:

> (Hm... comment 0 says you are using mozilla, not firefox?)

I'm from the Flashblock team so I use both for testing. I opened this bug
because someone in the flashblock mailing list asked us to block flash cookies
as well.  I thought that this was more appropriate as part of firefox/seamonkey
instead of an extension - then several minutes later I find the "objection"
extension while looking for something else.

Grrr.  The author of objection totally replaces PrivacyPanel.clearAll() instead
of handing off to the original after processing the LSOs.
Comment 4 Jo Hermans 2005-06-29 13:51:30 PDT
*** Bug 298825 has been marked as a duplicate of this bug. ***
Comment 5 Kevin Brosnan 2006-11-14 12:48:53 PST
I don't see a dupe of this bug, marking as new.
Comment 6 Jo Hermans 2007-06-06 05:45:46 PDT
*** Bug 383320 has been marked as a duplicate of this bug. ***
Comment 7 Ria Klaassen (not reading all bugmail) 2007-10-14 11:41:20 PDT
*** Bug 399724 has been marked as a duplicate of this bug. ***
Comment 8 dwitte@gmail.com 2007-11-25 22:26:35 PST
*** Bug 400934 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Veditz [:dveditz] 2008-01-28 22:34:12 PST
*** Bug 414478 has been marked as a duplicate of this bug. ***
Comment 10 Philip Chee 2008-01-28 23:12:36 PST
There is no patch. And even if there were, it would have i18n impact. I think it's too late in this cycle to block.
Comment 11 Philip Chee 2008-01-28 23:18:04 PST
Updated link to the Objection extension (Delete Flash Local Shared Objects):
http://objection.mozdev.org/
Comment 12 Mike Connor [:mconnor] 2008-02-04 22:41:06 PST
Not blocking, far too late for changes of this type.
Comment 13 Asa Dotzler [:asa] 2008-05-02 15:02:15 PDT
Surely there are other plugins that store private data. Shouldn't we simply have a "Plug-in data" checkbox in the Clear Private Data... window? Why clear just cookies and leave other private data on disk?
Comment 14 Philip Chee 2008-05-02 20:47:38 PDT
Is there a universal "clear plugin private data" API or does each plugin do things differently? If the latter I don't see how it would be practical to build in awareness of any and all plugin data handling not just for currently existing plugins but for any hypothetical future plugins from some obscure developer in Upper Moldavia. 
Comment 15 Asa Dotzler [:asa] 2008-05-03 01:16:22 PDT
There doesn't have to be a consistent API for Firefox to do its best for the common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.
Comment 16 Philip Chee 2008-05-03 02:48:13 PDT
(In reply to comment 15)
> There doesn't have to be a consistent API for Firefox to do its best for the
> common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.

In that case I suggest that having a "Plug-in data" checkbox in the Clear Private Data dialog would give a wrong impression, not to mention a false sense of security to the average mom'n'pop user who doesn't realise that this only clears data from popular plugins. Unless of course you change it to a "Some Plug-in data" checkbox.
Comment 17 Asa Dotzler [:asa] 2008-05-03 11:47:13 PDT
Philip, no more misleading than our current "clear cookies" or "clear offline website data" (and probably others) neither of which are cleared in certain plugin cases.  You're making perfect the enemy of good here.  We can probably never get everything and we can't be 100% accurate in our labeling without making the dialog unusable. 
Comment 18 Philip Chee 2008-05-03 21:20:31 PDT
> You're making perfect the enemy of good here.

Asa, normally I'd agree with you (i.e get something working first, worry about perfection later), but one of our "selling points" is that Firefox does security better than that other browser so I want to be more cautious when it comes to this type of issue. But I'll defer to the security and UI people who know more about these sort of things.
Comment 19 :Ehsan Akhgari 2008-12-28 09:50:03 PST
*** Bug 471331 has been marked as a duplicate of this bug. ***
Comment 20 Jistan 2009-08-02 07:17:26 PDT
Hi just wanted to let y'all know, the objection plugin is not compatible with 3.5. Thus the workaround no longer works.
Comment 21 Philip Chee 2009-08-02 09:54:31 PDT
https://addons.mozilla.org/en-US/firefox/addon/6623

BetterPrivacy 1.29
Works with Firefox: 2.0 – 3.6a1pre
Comment 22 Ian Melven 2009-08-03 17:49:37 PDT
Hi,

we (Adobe) are planning on supporting private browsing in Firefox and other browsers in a forthcoming Flash Player release.

additionally, we would welcome an NPAPI addition that would be called when a user wants to clear their private data. this is in our future plans also, but would likely happen a lot faster if this was implemented by Mozilla, rather than us having to write the patch for it ourselves.
Comment 23 Ian Melven 2009-08-03 17:52:40 PDT
also PLEASE do not try to clear LSO's in the browser code - imo this is something that should be handled by plugins themselves via an NPAPI addition.
Comment 24 Trevor 2009-08-03 18:07:13 PDT
Ian

Does Adobe have somewhere where interested people can contribute to discussion on the implementation? There are some, in my opinion, very complex issues that Adobe will have to overcome.

I have been looking at implementing Private Browsing mode support into Objection and the only solutions I came up with could create big problems for the user.
Comment 25 crf 2009-08-06 16:49:37 PDT
Linux users or extension developers may wish to know that the popular swfdec plugin stores site information in the file ~/.config/swfdec-mozilla (or similar).
Comment 26 Kohei Yoshino [:kohei] 2010-02-14 03:18:48 PST
Private browsing in Flash Player 10.1
http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10.1.html

Adobe Flash Now Supports InPrivate Browsing
http://blogs.msdn.com/ie/archive/2010/02/11/adobe-flash-now-supports-inprivate-browsing.aspx
Comment 27 alanjstr 2010-02-14 06:53:32 PST
Ian -

With Private Browsing, it looks like Adobe has decided to ask the browser if it is in Private Browsing and choose its mode based on that, correct?

Also, I don't see anything in https://bugs.adobe.com for allowing the browser to tell Flash what to clear.

All -

If this bug was specifically for Firefox Private Browsing, then I'd say it is resolved and a separate bug is needed for regular browsing.
Comment 28 Lars Gunther 2010-03-28 23:30:17 PDT
Chrome now allows the user to clear Flash cookies. Their idea might be worth checking out: http://www.imasuper.com/640/technology/chrome-adds-links-to-clear-adobe-cookies/

Their solution is not complete, but at least a first step towards some control.
Comment 29 Philip Chee 2010-05-24 13:09:22 PDT
> obsolete.fax@gmail.com changed:
>
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>          Component|Private Browsing            |Security
>          QAContact|private.browsing@firefox.bu |firefox@security.bugs
>                   |gs                          |

Please don't randomly change component and flags if you don't know what you are doing.
Comment 30 obsolete.fax 2010-05-24 13:44:22 PDT
(In reply to comment #29)
> > obsolete.fax@gmail.com changed:
> >
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >          Component|Private Browsing            |Security
> >          QAContact|private.browsing@firefox.bu |firefox@security.bugs
> >                   |gs                          |
> 
> Please don't randomly change component and flags if you don't know what you are
> doing.

I changed component from (In reply to comment #29)
> > obsolete.fax@gmail.com changed:
> >
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >          Component|Private Browsing            |Security
> >          QAContact|private.browsing@firefox.bu |firefox@security.bugs
> >                   |gs                          |
> 
> Please don't randomly change component and flags if you don't know what you are
> doing.

I changed component from Private Browsing to Security because there is no Private Browsing component in 3.0.19. I changed to Security, as then websites can see what Flash cookies are there (what websites you have visited.)
Comment 31 Philip Chee 2010-05-24 21:35:45 PDT
mconnor has already minused blocking-firefox3-. Don't renominate bugs for a branch that have already been denied by drivers.

This is a privacy issue not a security issue. Please don't confuse the two concepts.

There are no patches here. Nobody is working on this bug - See the Assigned to field. It is useless nominating bugs such as this without a clear plan, without clear goals, without any working patches. If you want to discuss this issue please do it in the mozilla forums e.g. newsgroup mozilla.dev.apps.firefox rf the associated mailing list.
Comment 32 Jo Hermans 2010-11-23 09:11:27 PST
*** Bug 614225 has been marked as a duplicate of this bug. ***
Comment 33 Asa Dotzler [:asa] 2010-12-05 12:05:56 PST
Presumably this missed 4 but I see no way to nominate for 4.next so giving blocking2.0? a shot.  (btw, implemented in Chrome here http://codereview.chromium.org/5579002/ )
Comment 34 :Gavin Sharp [email: gavin@gavinsharp.com] 2010-12-10 11:49:51 PST
Looks like they did it by making modifications to the version of Flash that they ship, which we can't really do at the moment. We can't block 2.0 on this at this point.
Comment 35 dwitte@gmail.com 2010-12-10 14:38:04 PST
The NPP_ClearSiteData API is being finalized right now, and given Adobe's interest they'll likely implement it fairly quickly. We should get started on the Firefox code to aid in their testing, with an eye to roll this out in a point release.
Comment 36 dwitte@gmail.com 2010-12-10 14:47:02 PST
Changing summary to better describe what we're actually going to do here. (If we want a separate bug on clearing plugin data when you clear cookies, we should file one, but I don't have a strong opinion right now. I think this will be better solved with the new site preferences/history UI in the works.)
Comment 37 Mike Beltzner [:beltzner, not reading bugmail] 2011-01-13 14:19:13 PST
I suspect that this bug will become a meta, since it's about "plugin data" now and bug 618461 is just about Adobe Flash. That's probably OK. I'm going to open a new bug for the UI hookup for Flash.
Comment 38 Mike Beltzner [:beltzner, not reading bugmail] 2011-01-13 14:36:08 PST
For those interested:

Bug 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History When Firefox Closes > Settings... dialog

Bug 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History

Bug 625497 - Clear Adobe Flash Cookies (LSOs) when "Forget This Site" is selected
Comment 39 dwitte@gmail.com 2011-02-08 14:21:50 PST
Fixed by bug 508167 and the above.
Comment 40 Kevin Brosnan [:kbrosnan] 2011-02-23 21:01:02 PST
*** Bug 636381 has been marked as a duplicate of this bug. ***
Comment 41 Mardeg 2011-06-19 14:42:59 PDT
*** Bug 665384 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.