FF allows cookie data to be passed between domains

RESOLVED DUPLICATE of bug 349680

Status

()

RESOLVED DUPLICATE of bug 349680
11 years ago
11 years ago

People

(Reporter: webbanalys, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME?)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

The removed functionality from FF 1.x where it was possible to block ALL 3rd party cookies would have prohibited this, now the lack of it opens a hole that does not increase a FF 2.x users online integrity.

The passing of cookie details between domains must be prohibited.

Reproducible: Always

Steps to Reproduce:
1. On a clean install of FF (or FF with a wiped cookie container) visit http://www.sebank.se (bank site).
2. Then check the cookies that have been created.
3. The value from the cookie issued by the other domain than the visited can be found injected into the cookies of the sebank.se domain.
Actual Results:  
Cookie data is passed between domains.

Expected Results:  
Cookie data is passed between domains.

FF should have a setting to prohibit JavaScript executions in which cookie data is passed between the cookies of different domains.

Comment 1

11 years ago
probably dupe of wontfixed 349680

Updated

11 years ago
Whiteboard: DUPEME?
I manually flipped the old pref (network.cookie.cookieBehavior) from the default 0 to the "no 3rd party" setting 1 which is all the UI used to do (no functionality was removed from the product, it was just removed from the UI). In both cases I got exactly the same set of cookies: two from seb.se and one from instandia.net

In any case that's each site simply setting its own cookies, you have not explained or demonstrated "passing of cookie details". Not sure what that would mean, but there is absolutely no way to prevent two servers sharing data if they want to: they could do it by loading iframe urls with query parameters, redirects (which this site obviously uses given sebank.se ends up on seb.se), or do it on the back end completely invisible to the browser.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 349680
You need to log in before you can comment on or make changes to this bug.