425819 - Extensions circumvent disabled cookies

Status: RESOLVED INVALID

(Firefox :: Settings UI, defect)

Description

[Andrew Sachen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

While testing cookie settings, I discovered that disabling cookies can be circumvented by extensions.

Reproducible: Always

Steps to Reproduce:
1. Download the Live PageRank Extension < https://addons.mozilla.org/en-US/firefox/addon/2007 >, change the max version if need be, and install it.
1. Disable cookies by going to Tools>Options>Privacy and unchecking "Accept cookies from sites".
2. Erase all cookies by hitting "Show Cookies" and clicking on "Remove All Cookies".
3. Close out of the options window, visit any webpage, for example < http://mozilla.com >, and then check the cookie list in Tools>Options>Privacy>Show Cookies...
Actual Results:  
There will be two cookies in the list, one from google.com, the other from toolbarqueries.google.com.

Expected Results:  
There should be no cookies in the list because Cookies should be disabled.

Comment 1

[Daniel Veditz [:dveditz]]

An extension can do anything, up to and including directly writing to the cookie storage file bypassing any checks we put on the cookie APIs. All we can do is ask that they respect user prefs.

This is a bug in the extension, probably accidentally using the wrong API. Please report this to the author of the plugin (the author's homepage seems to have a feedback link).

I think this is not a Firefox bug.

Comment 2

[Andrew Sachen]

Makes sense, though it still sounds dangerous (exploitable). I'll contact the developer of the extension, then.

Comment 3

[Daniel Veditz [:dveditz]]

Yes, extensions should honor the pref, but "exploitable" probably isn't the right word. A privacy concern for sure.

Comment 4

[dwitte@gmail.com]

i've read through the source of the extension and it doesn't seem to be doing anything deliberate to store cookies (in fact, it doesn't have anything cookie-related at all). it does, however, kick off an XMLHttpRequest to contact a google datacenter and look up the pagerank.

if anything, this is XMLHttpRequest-related, which bears looking into.

andrew, can you also generate a cookie log (see http://developer.mozilla.org/en/docs/index.php?title=Creating_a_Cookie_Log)? (clear and disable cookies, shut down the browser, enable logging, start the browser, use the extension, then close down and attach the log here.)

Comment 5

[Andrew Sachen]

Attachment: Cookie log of test case

Comment 6

[dwitte@gmail.com]

looks like you might just have google.com whitelisted - are there any sites listed in options->privacy->cookie exceptions?

Comment 7

[Andrew Sachen]

Ah! toolbarqueries.google.com was whitelisted, yes. Odd, because I never added it...

Comment 8

[dwitte@gmail.com]

the current version of the extension doesn't whitelist it, so either a previous version did, or it got there some other way (maybe a different extension, or maybe someone else whitelisted it for you?).

if a previous version did, and given the current one doesn't, then at most it's worth a privacy note on the extension's amo page.

if it got there some other way, not much we can do ;)

-> INVALID, but if you find out what added this, please comment.

Comment 9

[Andrew Sachen]

No one else uses this computer... And as the extension appears to require cookies to correctly work, it would make sense if an older version whitelisted it. However, I can't provide any other information, other than I don't remember ever whitelisting any cookies in all the time I've used Firefox.