Closed Bug 475099 Opened 16 years ago Closed 5 years ago

allow website to disallow 3rd-party content from setting cookies

Categories

(Core :: Networking: Cookies, enhancement, P3)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: scientes-bugs+mozilla-6d4590a7b797c005d0b3, Unassigned)

Details

(Whiteboard: [necko-backlog])

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Firefox/3.0.5 developers have no control over the privacy of their visitors if they include any content transcluded from other sites, even javascript or images. A big-prifile example of this is whitehouse.gov breaking a almost 2 decade old rule against persistant cookies because they want to include youtube in their site. (http://www.whitehouse.gov/omb/memoranda/m00-13.html , http://yro.slashdot.org/article.pl?sid=09/01/22/1941233) Embedded content that has cookies in the vast majority of cases doesnt need cookies to function, it goes against the original function of cookies to store a persistant session, it is insecure as javascript can do bad things, and it takes power away from the developer. Please add extentions that allow developers to specify that embedded content cannon set or recieve cookies. This could be something like rel="nocookie" on <img> <script> <embed> <video> etc and/or a page wide meta tag that can set developer granted permissions. This could be simple yes/no, it could be blacklist/whitelist, and it could even allow the developer to limit the scope of their own cookies perhaps. None of this would happen by default and it wouldn't break any (i know of none beside tracking) applications that use cookies on these resources. It would give developers much more control, and a security feature if they could set the scope of their cookies and limit the scope of others cookies that come from their own pages embedded resources. (ie persistant, session, at all) This will help the development of a secure mash-up web, and instead of users having to do it in frustrating ways, then developers could set it, get peace of mind in their privacy policies, and the federal government could embed and embrase the mash-up web without sacrificing their principals. a big part of this is that developers, more than anyone else should have control over their own sites, (as long as it is not a security risk) and this is a big step in that direction. Reproducible: Always Steps to Reproduce: 1.go to whitehouse.gov in a fresh firefox install 2.without even clicking the play button notice that a youtube cookie has been set 3.see the cookie from youtube.com that expires in september Firefox can do this with disallow cookies from third-parties preference, however this is not enabled by default as it could possible (i dont know what) break things. this helps fix that conondrum.
A general solution for websites would be much better. I mean that such a feature shouldn't be limited to embed contents, it should be also valid for third-party scripts/images. Could be done with a Meta Tag or http header (?)
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: General → Networking: Cookies
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → networking.cookies
Summary: allow developers to disallow embedded content from setting cookies → allow website to disallow embedded content from setting cookies
@matti yes thats what i meant, i did specify <script> and <img> tags which include 3rd party content
i think meta could work, or header, and also allow spefific whitelist/blacklist behavior either in meta or on the 3rd-party linking tags themselves.
Summary: allow website to disallow embedded content from setting cookies → allow website to disallow 3rd-party content from setting cookies
(In reply to comment #0) > developers have no control over the privacy of their visitors if they include > any content transcluded from other sites, even javascript or images. If a site includes SCRIPT from other sites (unfortunately common) all bets are off, and blocking cookies on the load would not be much of a speedbump to all kinds of potential privacy violations. Most content (like images) could be easily re-hosted on the original web site if cookies are a concern. > A big-prifile example of this is whitehouse.gov breaking a almost 2 decade > old rule against persistant cookies because they want to include youtube > in their site. They "want" to include YouTube, but they don't have to. Again, they could host the content themselves, or they could provide a link to the content and let users navigate there at their choice (and get a cookie doing so, but not from the gov't site). They might even be able to negotiate a special deal with YouTube (being the President and all) to host this content at a special path or sub-domain that doesn't set cookies. ranting aside, this might be a useful feature request in limited circumstances. Since a site can control whether it sets cookies for its own content, and some sub-content may require cookies, it's probably most useful to make this an attribute on specific elements. Best to go through the HTML5/what-wg standards efforts though. Note that even with this sort of feature, YouTube videos would still set a cookie-like Flash Local-storage object. The browser can't do anything about that.
Yes you are right, it really shows how adobe is quite about how they are violating privacy when I didnt even know about flash cookies till a couple of days ago when i submitted this and did some research. Firefox, or its add ons really need to extend their cookie control over flash even if that is stomping over flashes space. Someone need to be responsible for making people realize block HTTP cookies does nothing to revent the enless sites that put flash bugs in their sites from tracking you. I block all flash except for video sites and am really wanting the web to move to the <video> element, but truth is that videos today are done with flash, and hacking flash embeds into video embeds for vlc etc is very problematic. I guess thats another bug....
I haven't tried it, but the "Better Privacy" addon claims to delete flash local storage objects. https://addons.mozilla.org/en-US/firefox/addon/6623
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3

Something similar can be achieved using CSP. But in general, this bug is invalid.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.