Closed Bug 660719 Opened 9 years ago Closed 6 years ago

the browser shouldn't accept cookie(s) from "safebrowsing" provider (ie. Google) during "safebrowsing" communication

Categories

(Toolkit :: Safe Browsing, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 897516

People

(Reporter: bartml, Unassigned)

References

Details

(Keywords: privacy)

User-Agent:       Konqueror
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Since Firefox 2 there is an extension from Google integrated into the browser -- so called "safebrowsing" service that blocks sites marked by Google as "bad". (There was a major change in details of the protocol between Firefox 2 and 3, but it is actually not relevant here.)

When "safebrowsing"-related communication takes place, cookies from "safebrowsing" provider are not only send (see bug 368255), but also silently accepted. It has obvious privacy implications -- even when user removes all cookies (including cookies from Google), then they "magically" reappear, even when user doesn't use the browser at all.

(Please note that options in UI related with so-called "safebrowsing" DON'T mention the name of the "safebrowsing provider". See bug 430741 where I prepared the patch that was adding "Google" in descriptions of relevant options, but it was decided by limi that it is not wanted.)

STR follow.

Reproducible: Always

Steps to Reproduce:
1. Run the browser with just one tab.
2. Write "about:blank" (without quotes) in address field and press "Enter" to make sure that you have only blank page opened, and nothing else.
3. Remove all cookies (or only cookies from "safebrowsing" provider - which is currently Google - ie. cookies from google.com domain): Edit -> Preferences... (Linux) or Tools -> Options (Windows), then Privacy panel, then click on "remove individual cookies" to display the Cookies window and remove all (or selected, ie. from google.com) cookies.
4. Close the Cookies and Preferences windows, but leave the browser open (with about:blank page). Wait 30-40 minutes (at most, usually; the exact amount of time between consecutive periodic requests related with so called "safebrowsing" is given by the server each time, so it only depends on Google; usually it was 30 minutes as far as I can tell).
5. Check cookie manager (Edit -> Preferences... (Linux) or Tools -> Options (Windows), then Privacy panel, then click on "remove individual cookies" to display the Cookies window) and note that cookie from google.com appeared.


Actual Results:  
Cookie from Google (ie. from so called "safebrowsing provider") appears even when user doesn't visit any Google-related site.

Expected Results:  
Cookie from Google shouldn't appear.
Keywords: privacy
From bug 368255, it seems the cookie is necessary for safebrowsing.

Is this cookie accepted even when cookies are disabled? Otherwise this seems pretty reasonable, we already have services that run in the background when the browsing is "doing nothing" (such as Sync) that can modify the state of the browser.
Version: unspecified → Trunk
We're isolating this cookie away from the rest of your cookies in bug 897516.  The effect is that cookies that come in through safebrowsing are only sent back in requests for safebrowsing (not during regular google.com traffic).

BartZilla: will this work?  Seems to me that doing that will "fix" this bug.
Depends on: 897516
Flags: needinfo?(bartml)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2)
> BartZilla: will this work?  Seems to me that doing that will "fix" this bug.

Yeah, I guess it should.
(Sorry for delay in responding.)
Flags: needinfo?(bartml)
Thanks, duping it to that bug then.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 897516
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.