Last Comment Bug 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History
: Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent His...
Status: VERIFIED FIXED
[softblocker][requires Flash 10.3]
:
Product: Firefox
Classification: Client Software
Component: Private Browsing (show other bugs)
: Trunk
: All All
: -- enhancement with 6 votes (vote)
: Firefox 4.0b12
Assigned To: dwitte@gmail.com
:
Mentors:
Depends on: 646074 886832 508167 633433 633463
Blocks: 565561 625495 632746
  Show dependency treegraph
 
Reported: 2011-01-13 14:33 PST by Mike Beltzner [:beltzner, not reading bugmail]
Modified: 2013-12-27 14:32 PST (History)
19 users (show)
bugzillamozillaorg_serge_20140323: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+


Attachments
patch (10.60 KB, patch)
2011-02-01 21:07 PST, dwitte@gmail.com
ehsan: review+
Details | Diff | Splinter Review
patch v2 (10.73 KB, patch)
2011-02-02 15:19 PST, dwitte@gmail.com
dwitte: review+
Details | Diff | Splinter Review

Description Mike Beltzner [:beltzner, not reading bugmail] 2011-01-13 14:33:38 PST
Bug 508167 will implement support for the NPAPI methods that Adobe Flash will support in Adobe Flash 10.2+, allowing us to tell that application to delete their version of cookies (LSOs) as well.

Previously we have seen a lot of evidence that users are surprised that Flash objects store data on their system and further that this data isn't cleared when browser cookies are cleared. It seems evident that to the user, cookies = cookies, and so the best way to match expectations would be to interpret cookie-clearing actions as meaning "web and flash cookies".

When "Clear Recent History..." is selected from the Tools menu, if the "Cookies" checkbox is selected, we should also use the new API from bug 508167 to clear Adobe Flash LSOs for the same time period. Yes, this will clear all LSOs even those set by other browsers; that's acceptable, IMO.
Comment 1 dwitte@gmail.com 2011-02-01 21:07:07 PST
Created attachment 509015 [details] [diff] [review]
patch

This adds relevant bits to sanitize.js, and some tests. Ehsan, I'm not sure if you want to review this or delegate to Josh, who's reviewing the backend bits in bug 508167 -- it might make sense for both of you to look at it, since Josh will be familiar with how the guts works.
Comment 2 :Ehsan Akhgari (away Aug 1-5) 2011-02-02 14:44:26 PST
Comment on attachment 509015 [details] [diff] [review]
patch

>+        // Clear plugin data.
>+        let ph = Components.classes["@mozilla.org/plugin/host;1"]
>+                           .getService(Ci.nsIPluginHost);
>+        const phInterface = Ci.nsIPluginHost_MOZILLA_2_0_BRANCH;
>+        const FLAG_CLEAR_ALL = phInterface.FLAG_CLEAR_ALL;
>+        ph.QueryInterface(phInterface);

Please use Cc and Ci in the new code you're adding too.

>+        // Determine age range in seconds. (-1 means clear all.) We don't know
>+        // that this.range[1] is actually now, so we compute age range based
>+        // on the lower bound.
>+        let age = this.range ? (Date.now() / 1e3 - this.range[0] / 1e6) : -1;

s/1e3/1000/ and s/1e6/1000000/.  This code is unreadable enough as it stands.  ;-)

>+        let tags = ph.getPluginTags();
>+        for (let i = 0; i < tags.length; i++) {
>+          try {
>+            ph.clearSiteData(tags[i], null, FLAG_CLEAR_ALL, age);
>+          } catch (e) {
>+            // If the plugin doesn't support clearing by age, clear everything.
>+            if (e.result == Cr.NS_ERROR_PLUGIN_TIME_RANGE_NOT_SUPPORTED) {

Also check here that age != -1.

>+              try {
>+                ph.clearSiteData(tags[i], null, FLAG_CLEAR_ALL, -1);
>+              } catch (e) {
>+                // Ignore errors from the plugin
>+              }
>+            }
>+          }
>+        }
>+

r=me with the above nits addressed.
Comment 3 dwitte@gmail.com 2011-02-02 15:19:09 PST
Created attachment 509263 [details] [diff] [review]
patch v2

Fixed nits.
Comment 4 dwitte@gmail.com 2011-02-02 15:20:41 PST
Comment on attachment 509263 [details] [diff] [review]
patch v2

Requesting approval. This is a softblocker and wanted for 2.0.
Comment 5 :Ehsan Akhgari (away Aug 1-5) 2011-02-02 16:44:06 PST
If this is a softblocker, it should be marked as such.
Comment 6 dwitte@gmail.com 2011-02-08 14:19:28 PST
http://hg.mozilla.org/mozilla-central/rev/2ff5b8624463
Comment 7 dwitte@gmail.com 2011-02-08 14:19:50 PST
(Wrong link, should be http://hg.mozilla.org/mozilla-central/rev/37094ed97c9e)
Comment 8 dickvl 2011-02-11 16:50:17 PST
I had a look at the current revision of the file sanitize.js and noticed a weird mixture of Cc and Ci and Components.classes and Components.interfaces
That file could use a check and cleanup

Some examples:
140         var cookieMgr = Components.classes["@mozilla.org/cookiemanager;1"]
141                                   .getService(Ci.nsICookieManager);

208         const Cc = Components.classes;
209         const Ci = Components.interfaces;
210         var cacheService = Cc["@mozilla.org/network/cache-service;1"].
211                            getService(Ci.nsICacheService);

http://mxr.mozilla.org/mozilla-central/source/browser/base/content/sanitize.js
Comment 9 dwitte@gmail.com 2011-02-11 16:52:16 PST
Yup, feel free to file a bug and patch!
Comment 10 keegkey 2011-02-13 05:19:57 PST
Just one question, shouldn't be this functionality also added under Options->Privacy->"Show Cookies.."->"Remove All Cookies"? When user click this button expects all cookies to be deleted including LSOs, since ff4 will now support deleting of LSOs.
Comment 11 Vlad [QA] 2011-04-04 08:43:34 PDT
Still reproduceble on Mozilla/5.0 (Windows NT 6.1; rv:2.2a1pre) Gecko/20110404 Firefox/4.2a1pre.

The .sol files are not deleted when the Tools > Clear Recent History item is clicked.
I have to delete manually the .sol files.
Comment 12 Will 2011-04-30 10:54:54 PDT
I also can still reproduce. I think this bug needs to be reopened.
Comment 13 Henrik Skupin (:whimboo) 2011-05-02 02:31:53 PDT
Vlad or Will, can you please tell me which URL you are using to test this fix?
Comment 14 Vlad [QA] 2011-05-02 04:40:05 PDT
I have accumulate some history (random pages), no specific URL.
Comment 15 Henrik Skupin (:whimboo) 2011-05-02 05:27:25 PDT
(In reply to comment #14)
> I have accumulate some history (random pages), no specific URL.

Can you please tell me a Flash application which definitely stores a Flash cookie on disk? Should be one of those entries from within your history. Thanks.
Comment 16 Will 2011-05-02 05:36:24 PDT
Any URL will produce these results for me, but Gmail and YouTube are a couple in specific.
Comment 17 Vlad [QA] 2011-05-02 05:59:01 PDT
Youtube for example. I have tried on the latest build, Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110501 Firefox/6.0a1 and the issue it's still reproducible. After clearing the History, the lso's are still present in the Macromedia folder under Win7. (Users/user/Appdata/Roaming/Macromedia/FlashPlayer/#SharedObjects/"random created directory/)
Comment 18 Henrik Skupin (:whimboo) 2011-05-02 06:23:22 PDT
Ok, was able to get it to reproduce on OS X with Fx4 final. No .sol files are getting deleted via the clear recent history dialog or on shutdown. Same with Aurora or Nightly builds.
Comment 19 Robert Kaiser 2011-05-02 07:29:27 PDT
Make sure you have Flash 10.2 or newer, as Adobe only seems to have implemented the interface there.
Comment 20 Henrik Skupin (:whimboo) 2011-05-02 07:45:58 PDT
That has already been told in comment 0. So I'm aware of it. Just for reference here my installed version of Flash:

    Version: 10.2.159.1
    Shockwave Flash 10.2 r159
Comment 21 Daniel Cater 2011-05-02 10:03:02 PDT
I see this on Linux as well with:

Mozilla/5.0 (X11; Linux i686; rv:6.0a1) Gecko/20110502 Firefox/6.0a1

and:

Shockwave Flash

    File: libflashplayer.so
    Version: 
    Shockwave Flash 10.2 r159

Steps to reproduce:

1. Delete ~/.macromedia and ~/.adobe

2. Close all browsers.

3. Start Nightly and create a fresh profile (./firefox --profilemanager)

4. Start with that profile and go to youtube.com

5. Start playing any video.

6. Open a new blank tab and close all other tabs (no need to watch any of the video).

7. Go to Tools -> Clear Recent History...

8. Select "Everything" for the time range and check all options, then "Clear Now".

9. Close the browser.

10. cd ~/.macromedia

11. ls --recursive

Results:

================================================

~/.macromedia$ ls --recursive
.:
Flash_Player

./Flash_Player:
macromedia.com  #SharedObjects

./Flash_Player/macromedia.com:
support

./Flash_Player/macromedia.com/support:
flashplayer

./Flash_Player/macromedia.com/support/flashplayer:
sys

./Flash_Player/macromedia.com/support/flashplayer/sys:
settings.sol  #s.ytimg.com

./Flash_Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com:
settings.sol

./Flash_Player/#SharedObjects:
H73THJQY

./Flash_Player/#SharedObjects/H73THJQY:
s.ytimg.com

./Flash_Player/#SharedObjects/H73THJQY/s.ytimg.com:
videostats.sol

================================================

The ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol file is for the global settings of the Flash player and doesn't reveal any private information as far as I can tell.

The ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol file is for that site's individual settings (such as "always ask to use the webcam"). The file itself I don't think reveals any private information, but clearly the directory name does.

The ~/.macromedia/Flash_Player/#SharedObjects/H73THJQY/s.ytimg.com/videostats.sol is the site's cookie which could reveal a number of pieces of private information (and obviously the directory name does as well).

The last two files can be seen in the Flash Settings Manager here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html#117645 and here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html#117717

The ~/.adobe directory also gets created again but there don't seem to be any files in there.

cd ~/.adobe

ls --recursive

================================================

~/.adobe$ ls --recursive 
.:
Flash_Player

./Flash_Player:
AssetCache

./Flash_Player/AssetCache:
269N8LUX

./Flash_Player/AssetCache/269N8LUX:

================================================
Comment 22 :Ehsan Akhgari (away Aug 1-5) 2011-05-03 15:29:21 PDT
Josh, can you take a look, please?
Comment 23 Josh Aas 2011-05-03 15:56:18 PDT
I believe the functionality in question here is supported only in Flash 10.3. Can someone confirm that it works with the Flash 10.3 beta or release candidate?
Comment 24 Will 2011-05-04 17:57:11 PDT
(In reply to comment #23)
> I believe the functionality in question here is supported only in Flash 10.3.
> Can someone confirm that it works with the Flash 10.3 beta or release
> candidate?

I just tested the functionality in Nightly 2011-05-04 and Flash Player 10.3.181.5 RC 1 from FileHippo, and the LSOs do clear properly on browser exit along with the regular cookies.
Comment 25 Henrik Skupin (:whimboo) 2011-05-05 03:13:14 PDT
(In reply to comment #23)
> I believe the functionality in question here is supported only in Flash 10.3.
> Can someone confirm that it works with the Flash 10.3 beta or release
> candidate?

Also checked the web today and you are right. It's not Flash 10.2 we have to test with but Flash 10.3:

https://threatpost.com/en_us/blogs/chrome-ie-give-users-ability-delete-flash-cookies-050411

Vlad and Daniel, can you both please test on your platform? I will check on OS X.

For now I will mark this bug as fixed again.
Comment 26 Vlad [QA] 2011-05-05 07:06:28 PDT
After repeating the steps from comment17, there are no LSO's in the folder, not even if I watched some youtube clips, instead in that folder are some SOL files, and these cannot be deleted only manual. I don't know if this is intended or not.
Comment 27 Henrik Skupin (:whimboo) 2011-05-12 04:31:43 PDT
Works fine for me now with Flash 10.3RC1 and Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Any files including the .sol files are getting deleted under:
~/Library/Preferences/Macromedia/Flash Player/#SharedObjects

Only the one .sol file under the following folder remains because it seems to contain some general settings:

~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys

Vlad and Daniel, can you please re-test on Windows and Linux? Thanks.
Comment 28 Vlad [QA] 2011-05-12 07:38:42 PDT
Works fine for me using the latest flash 10.3 rc on: 
Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110511 Firefox/6.0a1

and also on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0a1) Gecko/20110511 Firefox/6.0a1

Due to some technical issues, I couldn't see if it's working or not on Ubuntu. Perhaps Daniel Cater will help us in this matter so that the status can be changed to Verified Fixed
Comment 29 Daniel Cater 2011-05-12 14:18:21 PDT
I didn't test it earlier because I hadn't worked out where in the home directory to install the release candidate (so that the stable version stayed in /usr).

Turns out $HOME/.mozilla/plugins/ is the place, but it doesn't exist by default.

Looks like 10.3 final was just released, so I tested with that (Shockwave Flash 10.3 r181).

Following the same steps as I did in comment 21, I can see that this is fixed. The directories and files that contain private information disappear from the filesystem, and also from the Flash settings manager.

People on Firefox 4 and above should see the benefits of this once Flash 10.3 is pushed out as an update by Adobe.
Comment 30 Henrik Skupin (:whimboo) 2011-05-12 14:31:18 PDT
Thanks Daniel! Setting bug to verified fixed.
Comment 31 Claudio Fontana 2011-05-28 01:45:39 PDT
This change had a destructive effect on my flash local shared objects, as I upgraded to the newest firefox 4 + flash plugin 10.3.
It was only games, so I don't care that much.

I would have thought that the flash shared objects could be a subset of the cookies/history thing, so as to be controlled separately.

The cookies could have the same kind of Settings button that history has.

The upgrade of a "keep cookies until I close firefox" could have been mapped to a "keep cookies until I close firefox" with settings containing a deselected flash shared obj checkbox, with the same cookie settings effecting the "clear history when firefox closes".

It is difficult (impossible?) to reproduce the behaviour I would like, which is to remove all cookies and history at each browser close, with the exception of local shared objects, which I'd like to keep.
Comment 32 Henrik Skupin (:whimboo) 2011-05-28 01:53:31 PDT
Claudio please file a new bug for it. This bug is closed. Thanks.

Note You need to log in before you can comment on or make changes to this bug.