Closed
Bug 67447
Opened 24 years ago
Closed 23 years ago
iframes allow the setting of third party cookies
Categories
(Core :: Networking: Cookies, enhancement)
Core
Networking: Cookies
Tracking
()
mozilla1.0
People
(Reporter: ianholsman, Assigned: morse)
References
()
Details
(Keywords: helpwanted, privacy)
Hi. I was playing with cookies, and found that the 'Enable Cookies from originating web site only' option does not block setting a 3rd party cookie if you set it via a iframe eg... on foo.org ..<iframe src="www.nastyweb.com/"> will let nastyweb.com set a cookie I belive that some less privacy orientated web advertising networks are already using this trick in stead of img tags
Comment 1•24 years ago
|
||
Reporter what version of Mozilla are you running? Also can you create a testcase for us?
Reporter | ||
Comment 2•24 years ago
|
||
Build: 2001010901 Try the following URL's http://holsman.net/test/img.html http://holsman.net/test/iframe.html
Comment 3•24 years ago
|
||
Confirmed Platform: PC OS: Windows 98 Mozilla Build: 2001020320 Marking New.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: 3rd Party Cookies and IFrames → IFrames allow the setting of 3rd party cookies
Assignee | ||
Comment 4•24 years ago
|
||
Problem is the following call in SetCookieStringFromHttp which is in module nsCookieService.cpp: rv = aFirstURL->GetSpec(&firstSpec); This call is supposed to return the originating URL. And it does so in the case of cookies being set from images. But it is apparently giving the current URL in the case of an iframe. So the problem is in the GetSpec routine when called on behalf of an iframe. Reassigning to networking.
Assignee: morse → darin
Component: Cookies → Networking: HTTP
Comment 5•24 years ago
|
||
Networking doesn't have any knowledge of IFrames. If the URL is from a channel, then the caller should perhaps invoke GetOriginalURI(). Reassigning to Layout.
Assignee: darin → karnaze
Component: Networking: HTTP → Layout
QA Contact: tever → petersen
Reporter | ||
Comment 6•24 years ago
|
||
I have tried, but I also think that this might affect any kind of linked page (like a style sheet, or Javascript page)
Comment 8•23 years ago
|
||
Can this bug get looked at? It's a privacy concern, and should probably be fixed for 1.0...
Comment 9•23 years ago
|
||
I'm not sure that this is a bug. The IFrame contains a document with a URL, and the cookie is being set for that document, from the source URL. It is just as if you had opened the document in the IFrame in it's own window - you would expect the cookie to be accepted. Why do we assume that a cookie from and IFrame should not be accepted?
Reporter | ||
Comment 10•23 years ago
|
||
as 3rd parties (like a certain unnamed ad-company) use this method to get around 3rd parties cookies protection. instead of just intserting a IMG tag, they do it via a IFrame. and get the cookie passed to them. they have the referer URL, and any arguments passed when creating the IFrame allowing them to track you.
Assignee | ||
Comment 11•23 years ago
|
||
*** Bug 96351 has been marked as a duplicate of this bug. ***
Comment 12•23 years ago
|
||
This is making 'accept cookies only from originating server' pratically useless.
Comment 13•23 years ago
|
||
So, why is the page author putting in an IFrame in the first place? Inserting an IFrame with a document from a third party into your page is obviously going to require some trust. They could have script that does all kinds of funksy stuff too. But maybe I misunderstand this. Is the document in the IFrame getting cookies from the URL of the document that _contains_ the IFrame, or is it that the document in the IFrame is allowed to send cookies that will only be sent back to it? Even if this is NOT a bug, it might still be a good idea to allow the option to restrict how documents in IFrames can submit and receive cookies. Also, maybe we could restrict the creation of IFrames that have documents from other URLs - this could prevent all kinds of nasty problems, not just with cookies but script as well.
Comment 14•23 years ago
|
||
Re: Mark Attinasi's question: This bug (as I understand it) deals with cookies being set by the site within the iframe, not by the containing site. If this is not considered a bug, this should probably be considered an enhancement request: users should be able to block cookies from iframes (and maybe even regular frames?) for the same reason they should be able to block cookies from third-party images. By the way, blocking of cookies from third-party images isn't working 100% right now anyway, see bug 87731.
Comment 15•23 years ago
|
||
I personally think that this is an enhancement request, and it goes something like: "User should have a pref to disable accepting cookies from foreign embedded documents". I guess that there would be a UI component, and a backend component, but I'm not sure how layout would be involved. Reassigning to the 'Cookies' component, and CC"ing myself in case there is something to do in layout. If instead it is decided (by people who understand Cookie management better than I do, which is just about everyone) that we really just want to do someting like what was suggested in "Additional Comments From Darin Fisher 2001-02-07 12:30" then send it back to me and I'll try to learn about this.
Assignee: attinasi → morse
Component: Layout → Cookies
QA Contact: petersen → tever
Assignee | ||
Updated•23 years ago
|
Severity: normal → enhancement
Target Milestone: --- → Future
Comment 16•23 years ago
|
||
For those who aren't aware, IE6's privacy features are much better then Mozilla's. Mozilla may have had them first, but they've been buggy with awful UI.
Comment 17•23 years ago
|
||
Is there no fix possible for 1.0 here? Darin suggested using GetOriginalURI(), and there was no reply to that. I emptied my cookies and went to www.theregister.co.uk, Mozilla accepted a cookie from .doubleclick.net AND www.vibrantmedia.com. Makes me wonder if ANYONE even sets non-iframe 3rd party cookies. Is this just not possible without major arch changes, or is there pressure from commercial entities?
Keywords: helpwanted,
mozilla0.9.6
Assignee | ||
Comment 18•23 years ago
|
||
This bug is actually related to bug 87388, which in turn is blocked by bug 87731.
Status: NEW → ASSIGNED
Depends on: 87731
Comment 19•23 years ago
|
||
fixing summary, this always escapes my queries blocks generic "third party cookie blocking doesn't work"
Blocks: 87388
Summary: IFrames allow the setting of 3rd party cookies → iframes allow the setting of third party cookies
Assignee | ||
Comment 20•23 years ago
|
||
Reconsidering this. It shouldn't be futured. Retargetting for 0.9.9
Target Milestone: Future → mozilla0.9.9
Assignee | ||
Comment 21•23 years ago
|
||
Note going to make it in 0.9.9. Pushing out to 1.0
Target Milestone: mozilla0.9.9 → mozilla1.0
Assignee | ||
Comment 22•23 years ago
|
||
This is a subset of bug 87388. The patch in that bug report fixes this as well. And the test suite created for that bug report includes iframes. *** This bug has been marked as a duplicate of 87388 ***
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•