Closed Bug 435670 Opened 16 years ago Closed 9 years ago

Existing cookies leak when using the "Ask Every Time" option and choosing "Deny".

Categories

(Core :: Networking: Cookies, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: steve1207, Unassigned)

References

()

Details

(Keywords: privacy)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0 When cookies are enabled, and the "Ask Every Time" (prompting) option is chosen the "Confirm Setting Cookies" dialog box is presented as expected. However ... while choosing "Deny" does prevent the modification of an existing cookie, that cookie is will sent back to the server with the asset query. It seems clear that "Deny" should both prevent accepting new *and* sending old cookies to the denied server. But this is not FFv3's current behavior. Reproducible: Always Steps to Reproduce: 1. Set FFv3 to Accept all cookies and keep until they expire. Also clear any per-site cookie exceptions. 2. Go to GRC's cookie forensics page: http://www.grc.com/cookies/forensics.htm This will load up the browser with a large collection of timestamped and tagged cookies. 3. Change FFv3 to "Ask me every time" (cookie prompting) mode. 4. Refresh the page or click the "Reread Cookies" button. 5. Choose "DENY" for all cookie prompts. Note that even choosing the "Use my choice for all cookies from this site" option results in MANY duplicate prompts about "www.grctech.com" cookies since EIGHT non-modal dialog boxes are produced, stacked upon each other, thus the answer from the first cannot be obtained by the others. It would be *much* better if the cookie prompting dialogs were produced serially rather than in parallel so that the answer from the first could prevent all subsequent prompting. 6. Once you DENY all cookies, the forensics results will be displayed ... showing ALL ORANGE cookies, which indicates that old (stale) existing cookies were received by the server, even though every cookie was denied. Actual Results: Even though every existing cookie was denied, and they were, in fact, not updated, they were still sent to the server. Expected Results: DENYing cookies when prompted should *both* prevent them being sent and received.
This dialog is specifically about modifications to cookies. If the site hadn't tried to modify the cookie, it would have been sent without a dialog at all. Hopefully, this dialog will go away entirely in future versions of Firefox. See bug 310492, bug 217199, and https://wiki.mozilla.org/Cookies:prompting_ui.
Component: Security → Networking: Cookies
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → networking.cookies
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.