Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History

VERIFIED FIXED in Firefox 4.0b12



8 years ago
5 years ago


(Reporter: beltzner, Assigned: dwitte)


Firefox 4.0b12
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 final+)


(Whiteboard: [softblocker][requires Flash 10.3])


(1 attachment, 1 obsolete attachment)

10.73 KB, patch
: review+
Details | Diff | Splinter Review
Bug 508167 will implement support for the NPAPI methods that Adobe Flash will support in Adobe Flash 10.2+, allowing us to tell that application to delete their version of cookies (LSOs) as well.

Previously we have seen a lot of evidence that users are surprised that Flash objects store data on their system and further that this data isn't cleared when browser cookies are cleared. It seems evident that to the user, cookies = cookies, and so the best way to match expectations would be to interpret cookie-clearing actions as meaning "web and flash cookies".

When "Clear Recent History..." is selected from the Tools menu, if the "Cookies" checkbox is selected, we should also use the new API from bug 508167 to clear Adobe Flash LSOs for the same time period. Yes, this will clear all LSOs even those set by other browsers; that's acceptable, IMO.
Severity: normal → enhancement
Component: Menus → Private Browsing
OS: Mac OS X → All
QA Contact: menus → private.browsing
Hardware: x86 → All
Version: unspecified → Trunk


8 years ago
Blocks: 625495

Comment 1

8 years ago
Posted patch patch (obsolete) — Splinter Review
This adds relevant bits to sanitize.js, and some tests. Ehsan, I'm not sure if you want to review this or delegate to Josh, who's reviewing the backend bits in bug 508167 -- it might make sense for both of you to look at it, since Josh will be familiar with how the guts works.
Assignee: nobody → dwitte
Attachment #509015 - Flags: review?(ehsan)

Comment 2

8 years ago
Comment on attachment 509015 [details] [diff] [review]

>+        // Clear plugin data.
>+        let ph = Components.classes[";1"]
>+                           .getService(Ci.nsIPluginHost);
>+        const phInterface = Ci.nsIPluginHost_MOZILLA_2_0_BRANCH;
>+        const FLAG_CLEAR_ALL = phInterface.FLAG_CLEAR_ALL;
>+        ph.QueryInterface(phInterface);

Please use Cc and Ci in the new code you're adding too.

>+        // Determine age range in seconds. (-1 means clear all.) We don't know
>+        // that this.range[1] is actually now, so we compute age range based
>+        // on the lower bound.
>+        let age = this.range ? ( / 1e3 - this.range[0] / 1e6) : -1;

s/1e3/1000/ and s/1e6/1000000/.  This code is unreadable enough as it stands.  ;-)

>+        let tags = ph.getPluginTags();
>+        for (let i = 0; i < tags.length; i++) {
>+          try {
>+            ph.clearSiteData(tags[i], null, FLAG_CLEAR_ALL, age);
>+          } catch (e) {
>+            // If the plugin doesn't support clearing by age, clear everything.
>+            if (e.result == Cr.NS_ERROR_PLUGIN_TIME_RANGE_NOT_SUPPORTED) {

Also check here that age != -1.

>+              try {
>+                ph.clearSiteData(tags[i], null, FLAG_CLEAR_ALL, -1);
>+              } catch (e) {
>+                // Ignore errors from the plugin
>+              }
>+            }
>+          }
>+        }

r=me with the above nits addressed.
Attachment #509015 - Flags: review?(ehsan) → review+

Comment 3

8 years ago
Posted patch patch v2Splinter Review
Fixed nits.
Attachment #509015 - Attachment is obsolete: true
Attachment #509263 - Flags: review+

Comment 4

8 years ago
Comment on attachment 509263 [details] [diff] [review]
patch v2

Requesting approval. This is a softblocker and wanted for 2.0.
Attachment #509263 - Flags: approval2.0?


8 years ago
Whiteboard: [softblocker]

Comment 5

8 years ago
If this is a softblocker, it should be marked as such.
blocking2.0: --- → ?
blocking2.0: ? → final+

Comment 6

8 years ago
Last Resolved: 8 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Target Milestone: --- → Firefox 4.0b12


8 years ago
Depends on: 633433


8 years ago
Depends on: 633463


8 years ago
No longer depends on: 633463


8 years ago
Depends on: 633463


8 years ago
No longer depends on: 633463

Comment 8

8 years ago
I had a look at the current revision of the file sanitize.js and noticed a weird mixture of Cc and Ci and Components.classes and Components.interfaces
That file could use a check and cleanup

Some examples:
140         var cookieMgr = Components.classes[";1"]
141                                   .getService(Ci.nsICookieManager);

208         const Cc = Components.classes;
209         const Ci = Components.interfaces;
210         var cacheService = Cc[";1"].
211                            getService(Ci.nsICacheService);

Comment 9

8 years ago
Yup, feel free to file a bug and patch!


8 years ago
Depends on: 633463

Comment 10

8 years ago
Just one question, shouldn't be this functionality also added under Options->Privacy->"Show Cookies.."->"Remove All Cookies"? When user click this button expects all cookies to be deleted including LSOs, since ff4 will now support deleting of LSOs.


8 years ago
Depends on: 646074

Comment 11

8 years ago
Still reproduceble on Mozilla/5.0 (Windows NT 6.1; rv:2.2a1pre) Gecko/20110404 Firefox/4.2a1pre.

The .sol files are not deleted when the Tools > Clear Recent History item is clicked.
I have to delete manually the .sol files.

Comment 12

8 years ago
I also can still reproduce. I think this bug needs to be reopened.
Vlad or Will, can you please tell me which URL you are using to test this fix?

Comment 14

8 years ago
I have accumulate some history (random pages), no specific URL.
(In reply to comment #14)
> I have accumulate some history (random pages), no specific URL.

Can you please tell me a Flash application which definitely stores a Flash cookie on disk? Should be one of those entries from within your history. Thanks.

Comment 16

8 years ago
Any URL will produce these results for me, but Gmail and YouTube are a couple in specific.

Comment 17

8 years ago
Youtube for example. I have tried on the latest build, Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110501 Firefox/6.0a1 and the issue it's still reproducible. After clearing the History, the lso's are still present in the Macromedia folder under Win7. (Users/user/Appdata/Roaming/Macromedia/FlashPlayer/#SharedObjects/"random created directory/)
Ok, was able to get it to reproduce on OS X with Fx4 final. No .sol files are getting deleted via the clear recent history dialog or on shutdown. Same with Aurora or Nightly builds.
Resolution: FIXED → ---

Comment 19

8 years ago
Make sure you have Flash 10.2 or newer, as Adobe only seems to have implemented the interface there.
That has already been told in comment 0. So I'm aware of it. Just for reference here my installed version of Flash:

    Shockwave Flash 10.2 r159

Comment 21

8 years ago
I see this on Linux as well with:

Mozilla/5.0 (X11; Linux i686; rv:6.0a1) Gecko/20110502 Firefox/6.0a1


Shockwave Flash

    Shockwave Flash 10.2 r159

Steps to reproduce:

1. Delete ~/.macromedia and ~/.adobe

2. Close all browsers.

3. Start Nightly and create a fresh profile (./firefox --profilemanager)

4. Start with that profile and go to

5. Start playing any video.

6. Open a new blank tab and close all other tabs (no need to watch any of the video).

7. Go to Tools -> Clear Recent History...

8. Select "Everything" for the time range and check all options, then "Clear Now".

9. Close the browser.

10. cd ~/.macromedia

11. ls --recursive



~/.macromedia$ ls --recursive

./Flash_Player:  #SharedObjects










The ~/.macromedia/Flash_Player/ file is for the global settings of the Flash player and doesn't reveal any private information as far as I can tell.

The ~/.macromedia/Flash_Player/ file is for that site's individual settings (such as "always ask to use the webcam"). The file itself I don't think reveals any private information, but clearly the directory name does.

The ~/.macromedia/Flash_Player/#SharedObjects/H73THJQY/ is the site's cookie which could reveal a number of pieces of private information (and obviously the directory name does as well).

The last two files can be seen in the Flash Settings Manager here: and here:

The ~/.adobe directory also gets created again but there don't seem to be any files in there.

cd ~/.adobe

ls --recursive


~/.adobe$ ls --recursive 





Comment 22

8 years ago
Josh, can you take a look, please?

Comment 23

8 years ago
I believe the functionality in question here is supported only in Flash 10.3. Can someone confirm that it works with the Flash 10.3 beta or release candidate?

Comment 24

8 years ago
(In reply to comment #23)
> I believe the functionality in question here is supported only in Flash 10.3.
> Can someone confirm that it works with the Flash 10.3 beta or release
> candidate?

I just tested the functionality in Nightly 2011-05-04 and Flash Player RC 1 from FileHippo, and the LSOs do clear properly on browser exit along with the regular cookies.
(In reply to comment #23)
> I believe the functionality in question here is supported only in Flash 10.3.
> Can someone confirm that it works with the Flash 10.3 beta or release
> candidate?

Also checked the web today and you are right. It's not Flash 10.2 we have to test with but Flash 10.3:

Vlad and Daniel, can you both please test on your platform? I will check on OS X.

For now I will mark this bug as fixed again.
Last Resolved: 8 years ago8 years ago
Resolution: --- → FIXED
Whiteboard: [softblocker] → [softblocker][requires Flash 10.3]

Comment 26

8 years ago
After repeating the steps from comment17, there are no LSO's in the folder, not even if I watched some youtube clips, instead in that folder are some SOL files, and these cannot be deleted only manual. I don't know if this is intended or not.
Works fine for me now with Flash 10.3RC1 and Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Any files including the .sol files are getting deleted under:
~/Library/Preferences/Macromedia/Flash Player/#SharedObjects

Only the one .sol file under the following folder remains because it seems to contain some general settings:

~/Library/Preferences/Macromedia/Flash Player/

Vlad and Daniel, can you please re-test on Windows and Linux? Thanks.

Comment 28

8 years ago
Works fine for me using the latest flash 10.3 rc on: 
Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110511 Firefox/6.0a1

and also on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0a1) Gecko/20110511 Firefox/6.0a1

Due to some technical issues, I couldn't see if it's working or not on Ubuntu. Perhaps Daniel Cater will help us in this matter so that the status can be changed to Verified Fixed

Comment 29

8 years ago
I didn't test it earlier because I hadn't worked out where in the home directory to install the release candidate (so that the stable version stayed in /usr).

Turns out $HOME/.mozilla/plugins/ is the place, but it doesn't exist by default.

Looks like 10.3 final was just released, so I tested with that (Shockwave Flash 10.3 r181).

Following the same steps as I did in comment 21, I can see that this is fixed. The directories and files that contain private information disappear from the filesystem, and also from the Flash settings manager.

People on Firefox 4 and above should see the benefits of this once Flash 10.3 is pushed out as an update by Adobe.
Thanks Daniel! Setting bug to verified fixed.

Comment 31

8 years ago
This change had a destructive effect on my flash local shared objects, as I upgraded to the newest firefox 4 + flash plugin 10.3.
It was only games, so I don't care that much.

I would have thought that the flash shared objects could be a subset of the cookies/history thing, so as to be controlled separately.

The cookies could have the same kind of Settings button that history has.

The upgrade of a "keep cookies until I close firefox" could have been mapped to a "keep cookies until I close firefox" with settings containing a deselected flash shared obj checkbox, with the same cookie settings effecting the "clear history when firefox closes".

It is difficult (impossible?) to reproduce the behaviour I would like, which is to remove all cookies and history at each browser close, with the exception of local shared objects, which I'd like to keep.
Claudio please file a new bug for it. This bug is closed. Thanks.
Depends on: 886832
You need to log in before you can comment on or make changes to this bug.