Closed Bug 391336 Opened 18 years ago Closed 18 years ago

FF allows cookie data to be passed between domains

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 349680

People

(Reporter: webbanalys, Unassigned)

Details

(Whiteboard: DUPEME?)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 The removed functionality from FF 1.x where it was possible to block ALL 3rd party cookies would have prohibited this, now the lack of it opens a hole that does not increase a FF 2.x users online integrity. The passing of cookie details between domains must be prohibited. Reproducible: Always Steps to Reproduce: 1. On a clean install of FF (or FF with a wiped cookie container) visit http://www.sebank.se (bank site). 2. Then check the cookies that have been created. 3. The value from the cookie issued by the other domain than the visited can be found injected into the cookies of the sebank.se domain. Actual Results: Cookie data is passed between domains. Expected Results: Cookie data is passed between domains. FF should have a setting to prohibit JavaScript executions in which cookie data is passed between the cookies of different domains.
probably dupe of wontfixed 349680
Whiteboard: DUPEME?
I manually flipped the old pref (network.cookie.cookieBehavior) from the default 0 to the "no 3rd party" setting 1 which is all the UI used to do (no functionality was removed from the product, it was just removed from the UI). In both cases I got exactly the same set of cookies: two from seb.se and one from instandia.net In any case that's each site simply setting its own cookies, you have not explained or demonstrated "passing of cookie details". Not sure what that would mean, but there is absolutely no way to prevent two servers sharing data if they want to: they could do it by loading iframe urls with query parameters, redirects (which this site obviously uses given sebank.se ends up on seb.se), or do it on the back end completely invisible to the browser.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.