Closed Bug 67447 Opened 25 years ago Closed 24 years ago

iframes allow the setting of third party cookies

Categories

(Core :: Networking: Cookies, enhancement)

Product:
Core
Component:
Networking: Cookies
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 87388
Milestone:
mozilla1.0

People

(Reporter: ianholsman, Assigned: morse)

References

(
URL
)

Details

(Keywords: helpwanted, privacy)

Hi. I was playing with cookies, and found that the 'Enable Cookies from originating web site only' option does not block setting a 3rd party cookie if you set it via a iframe eg... on foo.org ..<iframe src="www.nastyweb.com/"> will let nastyweb.com set a cookie I belive that some less privacy orientated web advertising networks are already using this trick in stead of img tags
Reporter what version of Mozilla are you running? Also can you create a testcase for us?
Build: 2001010901 Try the following URL's http://holsman.net/test/img.html http://holsman.net/test/iframe.html
Confirmed Platform: PC OS: Windows 98 Mozilla Build: 2001020320 Marking New.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: 3rd Party Cookies and IFrames → IFrames allow the setting of 3rd party cookies
Problem is the following call in SetCookieStringFromHttp which is in module nsCookieService.cpp: rv = aFirstURL->GetSpec(&firstSpec); This call is supposed to return the originating URL. And it does so in the case of cookies being set from images. But it is apparently giving the current URL in the case of an iframe. So the problem is in the GetSpec routine when called on behalf of an iframe. Reassigning to networking.
Assignee: morse → darin
Component: Cookies → Networking: HTTP
Networking doesn't have any knowledge of IFrames. If the URL is from a channel, then the caller should perhaps invoke GetOriginalURI(). Reassigning to Layout.
Assignee: darin → karnaze
Component: Networking: HTTP → Layout
QA Contact: tever → petersen
I have tried, but I also think that this might affect any kind of linked page (like a style sheet, or Javascript page)
Reassigning to pollmann.
Assignee: karnaze → pollmann
Keywords: privacy
Target Milestone: --- → Future
Can this bug get looked at? It's a privacy concern, and should probably be fixed for 1.0...
Assignee: pollmann → attinasi
Keywords: mozilla1.0
Target Milestone: Future → ---
I'm not sure that this is a bug. The IFrame contains a document with a URL, and the cookie is being set for that document, from the source URL. It is just as if you had opened the document in the IFrame in it's own window - you would expect the cookie to be accepted. Why do we assume that a cookie from and IFrame should not be accepted?
as 3rd parties (like a certain unnamed ad-company) use this method to get around 3rd parties cookies protection. instead of just intserting a IMG tag, they do it via a IFrame. and get the cookie passed to them. they have the referer URL, and any arguments passed when creating the IFrame allowing them to track you.
*** Bug 96351 has been marked as a duplicate of this bug. ***
This is making 'accept cookies only from originating server' pratically useless.
URL: http://www.theregister.co.uk/
OS: Windows 2000 → All
Hardware: PC → All
So, why is the page author putting in an IFrame in the first place? Inserting an IFrame with a document from a third party into your page is obviously going to require some trust. They could have script that does all kinds of funksy stuff too. But maybe I misunderstand this. Is the document in the IFrame getting cookies from the URL of the document that _contains_ the IFrame, or is it that the document in the IFrame is allowed to send cookies that will only be sent back to it? Even if this is NOT a bug, it might still be a good idea to allow the option to restrict how documents in IFrames can submit and receive cookies. Also, maybe we could restrict the creation of IFrames that have documents from other URLs - this could prevent all kinds of nasty problems, not just with cookies but script as well.
Re: Mark Attinasi's question: This bug (as I understand it) deals with cookies being set by the site within the iframe, not by the containing site. If this is not considered a bug, this should probably be considered an enhancement request: users should be able to block cookies from iframes (and maybe even regular frames?) for the same reason they should be able to block cookies from third-party images. By the way, blocking of cookies from third-party images isn't working 100% right now anyway, see bug 87731.
I personally think that this is an enhancement request, and it goes something like: "User should have a pref to disable accepting cookies from foreign embedded documents". I guess that there would be a UI component, and a backend component, but I'm not sure how layout would be involved. Reassigning to the 'Cookies' component, and CC"ing myself in case there is something to do in layout. If instead it is decided (by people who understand Cookie management better than I do, which is just about everyone) that we really just want to do someting like what was suggested in "Additional Comments From Darin Fisher 2001-02-07 12:30" then send it back to me and I'll try to learn about this.
Assignee: attinasi → morse
Component: Layout → Cookies
QA Contact: petersen → tever
Severity: normal → enhancement
Target Milestone: --- → Future
For those who aren't aware, IE6's privacy features are much better then Mozilla's. Mozilla may have had them first, but they've been buggy with awful UI.
Is there no fix possible for 1.0 here? Darin suggested using GetOriginalURI(), and there was no reply to that. I emptied my cookies and went to www.theregister.co.uk, Mozilla accepted a cookie from .doubleclick.net AND www.vibrantmedia.com. Makes me wonder if ANYONE even sets non-iframe 3rd party cookies. Is this just not possible without major arch changes, or is there pressure from commercial entities?
Keywords: helpwanted, mozilla0.9.6
This bug is actually related to bug 87388, which in turn is blocked by bug 87731.
Status: NEW → ASSIGNED
Depends on: 87731
fixing summary, this always escapes my queries blocks generic "third party cookie blocking doesn't work"
Blocks: 87388
Summary: IFrames allow the setting of 3rd party cookies → iframes allow the setting of third party cookies
No longer blocks: 87388
Reconsidering this. It shouldn't be futured. Retargetting for 0.9.9
Target Milestone: Future → mozilla0.9.9
Keywords: nsbeta1
Note going to make it in 0.9.9. Pushing out to 1.0
Target Milestone: mozilla0.9.9 → mozilla1.0
This is a subset of bug 87388. The patch in that bug report fixes this as well. And the test suite created for that bug report includes iframes. *** This bug has been marked as a duplicate of 87388 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
verified dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.