Closed Bug 443337 Opened 16 years ago Closed 7 years ago

Cookie "Exceptions" Should Not Take Precedence Over "Accept third-party cookies"

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 845787

People

(Reporter: war59312, Unassigned)

References

(
URL
)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

Hi,

In Firefox 3 Cookie "Exceptions" currently take precedence over the "Accept third-party cookies" privacy cookies option. Why?

Would would anyone want to add a cookie exception when third-party cookies are disabled and yet have that exception allow third-party cookies?

The whole point in disabling third-party cookies in the first place is for privacy. Exceptions should follow the rules set in place.

If I do allow third-party cookies than a cookie exception should too.

So basically to fix this issue cookie exceptions simply need to respect the "Accept third-party cookies" privacy cookie option.

To see how this works in Firefox 3 please follow this short and simple example:

I have disabled "Accept third-party cookies" and have set two "allow for session" cookie exceptions for grc.com and grctech.com .

I then run the following test: http://www.grc.com/cookies/context.htm . Click "Test Cookie Context Management" and then click "Back to Cookie Forensics" .

Once the page completely loads notice all the "Cross-Context Leakage" . This is because cookies from grctech.com and grc.com are allowed in both a first and third-party context.

Take Care,

Will

Reproducible: Always

Steps to Reproduce:
1. Disable "Accept third-party cookies" privacy option.
2. Set two "allow for session" cookie exceptions for grc.com and grctech.com .
3. Test for cookie leakage on http://www.grc.com/cookies/context.htm .
4. As you can see exception cookies are allowed in a third-party context.
Actual Results:  
Cookie Exceptions take precedence over the "Accept third-party cookies" privacy cookies option. That is, all cookies that belong to an exception are allowed in both a first and third-party context.

Expected Results:  
Cookie Exceptions respect the "Accept third-party cookies" privacy cookies option. If third-party cookies are allowed then cookie exceptions allow cookies in both a first and third-party context. If third-party cookies are not allowed then cookie exceptions only allow cookies in a first-party context.

Please feel free to join in on this discussion via the grc feedback newsgroup:

http://12078.net/grcnews/article.php?id=72655&group=grc.news.feedback#72655
Keywords: privacy
Isn't the whole purpose of the exceptions to allow cookies that would otherwise be blocked based on the "Accept" checkboxes?
Either way cookie handling is very limited in Firefox 3.

After rethinking this a bit, basically all we need to do is have gloabal cookie controls and per site cookie controls. And doing away with exceptions completely. The per site cookie control is the exception.

Per site controls by default would take precedence over the gloabal cookie setting. This makes more sense and this is how Opera handles the job. And it does it correctly. So on a new install the gloabal cookie control allows first and third-party cookies. Just like now. That would not change.

But if a user decides to disable first and third-party cookies via the global cookie setting the user can still allow individual sites to allow third-party cookies be using a per-site cookie setting. While still only allowing some times to set only first-party cookies using a per-site cookie control.

This gives the user more control about how cookies are used. Currently in Firefox 3 the user does not have the ability to control which sites are allowed to set first and third-party cookies, only that they can set cookies (both first and third-party). That is what the cookie exception does.
Severity: normal → enhancement
This issue has affected me as well.  By default, I want to allow only first-party session cookies.  There are a few sites that I'd like to permit to set persistent cookies, but I still don't want those sites to be able to set third-party cookies.

This is really a kind of serious privacy bug, since there's no way to elevate a site's cookie permissions without opening yourself up to being tracked by that site.
I agree that the current handling is really backwards. E.g. someone wants to have their social network site login remembered, but probably doesn't want that site to track every almost every other site they visit (via js includes, etc.)

The 3rd party pref should have precedence, or an extra column should be added to the exceptions list that allows per-site control of 3rd party when creating an exception.
Will a decade pass before people can control their cookies out-of-the-box?
Exceptions take precedence over the global settings -- this is WONTFIX. However you're right that we're missing some flexibility. We have implemented internally the ability to add a "allow first party only" exception which is more or less what this bug wants, but it is not exposed to the UI.

The UI bug is bug 845787. Although not a true dupe, it's a dupe in spirit so I'll mark it that way rather than wontfixing.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.