Closed Bug 536781 Opened 15 years ago Closed 14 years ago

Block cookies of embedded scripts

Categories

(Core :: Networking: Cookies, enhancement)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: ogregoire, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.1.6) Gecko/20091215 Ubuntu/9.10 (karmic) Firefox/3.5.6 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.1.6) Gecko/20091215 Ubuntu/9.10 (karmic) Firefox/3.5.6 I dislike the way social websites or search engines track the visits we perform all over the internet. A lot of websites embed scripts such as "join us on ..." and the social platform shows a list of our own friends indicating they joined the website inside of the social platform, meaning that my they used their own cookies to retrieve information. So I guess I would still like to have the effect "join us on..." but I don't want to see personalized items. I thought the simplest was to be ables to block cookies as the following. A firefox user has already accessed the website "foo.com". That website set up some cookies. He then accesses a page that is on "bar.com" The page of "bar.com" embeds (using HTML or JS) a script/page of "foo.com". That script uses cookies to get back information from "foo.com". The idea is to be able to block the cookies of foo.com while the user is on bar.com or fu.com or any website other than foo.com. Given the great implications of this (Google adsense, targetted advertisement), I think that this would be an optional behavior that we can set in the prefs. Reproducible: Always
Note that the embedding site does not have access to your data, so there's no privacy problem here.
Component: General → Networking: Cookies
Product: Firefox → Core
QA Contact: general → networking.cookies
> That script uses cookies to get back information from "foo.com". If it's embedded by bar.com, then it can't do this; it's blocked by existing security policies. So what issue are you really worried about?
Concretely, here's what I dislike. I'm a Facebook user. I'm visiting a newspaper website. That newspaper website has created its own page on Facebook and embeds the Facebook script to let me "like" it. The Facebook script shows me a list of people who already liked the website. The list contains *always* at least 1 person of my friends list (of the only two who like that website, and from the 40000 people who like that website, so no, it's not random). So that means that Facebook had access to my cookies to Facebook while the address in the bar is clearly not Facebook. Clearly, I don't want Facebook to know the websites I browse that are registered to them. So I would like an option to prevent embedded scripts to access their own cookies if they are not from the same domain. Since this is linked to my very own privacy, I don't think I should be required to install a plug-in, but this option should be present by default in Firefox. Knowing the influence of social networks and the way they exist, it would be an opt-in option. I hope this is much clearer.
> So that means that Facebook had access to my cookies to Facebook while the > address in the bar is clearly not Facebook. What happened there is that the cookies sent on the wire when making a network request to Facebook are the ones for Facebook. The script itself doesn't have access to the cookies, but the HTTP server generating the response does (and hence can customize the script accordingly; e.g. it could embed those values in the script itself). If you just don't want to have the Facebook cookie sent with the HTTP request in this situation, go to Preferences > Privacy, select "Use custom settings", and uncheck the "Accept third-party cookies" checkbox. This _will_ break some sites, unfortunately, though not many in my experience.
Ok, this works perfectly in fact. This bug/ticket can be closed. In fact, the translation of "third party" in French isn't as explicit as "third party" is in English. Maybe I'll suggest something else to the translation team, if you could just point me who to contact.
Olivier, you can file a bug at https://bugzilla.mozilla.org/enter_bug.cgi?product=Mozilla+Localizations&component=fr+/+French for that. Thanks! Resolving worksforme. Thanks for following up on this.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.