585997 - Accept third party cookies is unchecked, cookies are all from the underlying domain, but the frame with content is from a different domain. Cookies are blocked.

Status: RESOLVED WONTFIX

(Firefox :: Settings UI, defect)

Description

[Steve]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Go to 
http://www.firstchoicemarine.com/c-643-parts-finder.aspx
Put in make/year/model. 
Site complains that my browser is rejecting cookies. 

I check tools/options/privacy and accept third party cookies is unchecked. 
I check cookies on the page with cookie viewer, all the cookies are from either www.firstchoicemarine.com or .firstchoicemarine.com, not a third party. 

However the parts lookup is a frame, 
http://www.selocmarine.com/retail_counterman/index.php?aid=firch&header=none
an apparent data provider. 

This different domain has caused the site to fail function because of the third party cookies being blocked.  Checking accept third party cookies restores functionality of this site. 

I realize this is likely as designed but clearly this must come up many times, where a data provider site is in a frame but the cookies are being handed out from the underlying site.  

Can firefox somehow address this? 

Reproducible: Always

Steps to Reproduce:
1.Uncheck accept third party cookies, a privacy setting. 
2.Go to http://www.firstchoicemarine.com/c-643-parts-finder.aspx
3.Use the parts finder, but it fails because the embedded frame is from 
http://www.selocmarine.com/retail_counterman/index.php?aid=firch&header=none
but the cookies come from the underlying site. 
4. Function is restored by allowing third party cookies.
5. The only solution is to allow third party cookies globally.  What was the reason for allowing their restriction in the privacy settings if they have to be allowed globally to make legitimate websites work? 
Actual Results:  
Site fails after you put in make/year/model because of third party cookies restriction in Firefox privacy settings. 

Expected Results:  
Cookies from firstchoicemarine.com are accepted, as first party cookies.  The frame from another site causes this to fail when accept third party cookies is selected.  

Not sure, but this is the first time I have seen this issue.  There must be many embedded frames with functions provided by a third party, and clearly most work even with third party cookies blocked.

Comment 1

[Matthias Versen [:Matti]]

How should this be addresses ?
The reason why the option is not enabled by default is exactly die to this issues.

Comment 2

[Steve]

I've never seen the problem before, and I have had the third party cookies disabled for a long time. 

I surf the web a *lot*.  

If this is a problem why is it there?  Because cross site cookie theft is a giant security problem, right?  

Surely the best solution is not like the one Microsoft used to use, where if you disabled certain scripting and the like for security reasons you would get 15,000 popups asking you to allow this or that, and there was no option to turn those popups off.  It would drive you nuts. Or push you to Firefox.  

That was discussed at a Microsoft developers conference in Rancho Mirage, CA, BTW. "Put a script at the top of every page, no matter how innocuous, to force users to turn the scripting back on.". 

Ridiculous.

Comment 3

[Matthias Versen [:Matti]]

>If this is a problem why is it there?
because the website works only with this cookie.
>Because cross site cookie theft is a giant security problem, right?  

That would be a security problem but the preference doesn't permit cross site cookie stealing and it wouldn't prevent it.

I mark this wontfix because this can't be fixed.

Comment 4

[Steve]

What about the test case site makes that so unusual?  

Are there other instances where this type site design causes site functionality to fail because of that setting?