Closed Bug 67447 Opened 24 years ago Closed 23 years ago

iframes allow the setting of third party cookies

Categories

(Core :: Networking: Cookies, enhancement)

Product:
Core
Component:
Networking: Cookies
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 87388
Milestone:
mozilla1.0

People

(Reporter: ianholsman, Assigned: morse)

References

(
URL
)

Details

(Keywords: helpwanted, privacy) 

Hi.
I was playing with cookies, and found that the 'Enable Cookies from originating
web site only' option does not block setting a 3rd party cookie if you set it
via a iframe

eg...

on foo.org
..<iframe src="www.nastyweb.com/">
will let nastyweb.com set a cookie
I belive that some less privacy orientated web advertising networks are already
using this trick in stead of img tags
Reporter what version of Mozilla are you running? Also can you create a testcase
for us?
Build: 2001010901

Try the following URL's
http://holsman.net/test/img.html
http://holsman.net/test/iframe.html

Confirmed
Platform: PC
OS: Windows 98
Mozilla Build: 2001020320

Marking New.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: 3rd Party Cookies and IFrames → IFrames allow the setting of 3rd party cookies
Problem is the following call in SetCookieStringFromHttp which is in module 
nsCookieService.cpp:

   rv = aFirstURL->GetSpec(&firstSpec);

This call is supposed to return the originating URL.  And it does so in the case 
of cookies being set from images.  But it is apparently giving the current URL 
in the case of an iframe.

So the problem is in the GetSpec routine when called on behalf of an iframe.  
Reassigning to networking.
Assignee: morse → darin
Component: Cookies → Networking: HTTP
Networking doesn't have any knowledge of IFrames.  If the URL is from a channel,
then the caller should perhaps invoke GetOriginalURI().  Reassigning to Layout.
Assignee: darin → karnaze
Component: Networking: HTTP → Layout
QA Contact: tever → petersen
I have tried, but I also think that this might affect any kind of linked page
(like a style sheet, or Javascript page)
Reassigning to pollmann.
Assignee: karnaze → pollmann
Keywords: privacy
Target Milestone: --- → Future
Can this bug get looked at?  It's a privacy concern, and should probably be fixed for 1.0...
Assignee: pollmann → attinasi
Keywords: mozilla1.0
Target Milestone: Future → ---
I'm not sure that this is a bug. The IFrame contains a document with a URL, and
the cookie is being set for that document, from the source URL. It is just as if
you had opened the document in the IFrame in it's own window - you would expect
the cookie to be accepted. Why do we assume that a cookie from and IFrame should
not be accepted?
as 3rd parties (like a certain unnamed ad-company) use this method to
get around 3rd parties cookies protection.

instead of just intserting a IMG tag, they do it via a IFrame.
and get the cookie passed to them.
they have the referer URL, and any arguments passed when creating the IFrame
allowing them to track you.
*** Bug 96351 has been marked as a duplicate of this bug. ***
This is making 'accept cookies only from originating server' pratically useless.
URL: http://www.theregister.co.uk/
OS: Windows 2000 → All
Hardware: PC → All
So, why is the page author putting in an IFrame in the first place? Inserting an
IFrame with a document from a third party into your page is obviously going to
require some trust. They could have script that does all kinds of funksy stuff too.

But maybe I misunderstand this. Is the document in the IFrame getting cookies
from the URL of the document that _contains_ the IFrame, or is it that the
document in the IFrame is allowed to send cookies that will only be sent back to it?

Even if this is NOT a bug, it might still be a good idea to allow the option to
restrict how documents in IFrames can submit and receive cookies. Also, maybe we
could restrict the creation of IFrames that have documents from other URLs -
this could prevent all kinds of nasty problems, not just with cookies but script
as well.
Re: Mark Attinasi's question: This bug (as I understand it) deals with cookies
being set by the site within the iframe, not by the containing site.

If this is not considered a bug, this should probably be considered an
enhancement request: users should be able to block cookies from iframes (and
maybe even regular frames?) for the same reason they should be able to block
cookies from third-party images.
By the way, blocking of cookies from third-party images isn't working 100% right
now anyway, see bug 87731.
I personally think that this is an enhancement request, and it goes something like:

"User should have a pref to disable accepting cookies from foreign embedded
documents".

I guess that there would be a UI component, and a backend component, but I'm not
sure how layout would be involved. Reassigning to the 'Cookies' component, and
CC"ing myself in case there is something to do in layout.
If instead it is decided (by people who understand Cookie management better than
I do, which is just about everyone) that we really just want to do someting like
what was suggested in "Additional Comments From Darin Fisher 2001-02-07 12:30"
then send it back to me and I'll try to learn about this.
Assignee: attinasi → morse
Component: Layout → Cookies
QA Contact: petersen → tever
Severity: normal → enhancement
Target Milestone: --- → Future
For those who aren't aware, IE6's privacy features are much better then
Mozilla's. Mozilla may have had them first, but they've been buggy with awful UI.
Is there no fix possible for 1.0 here? Darin suggested using GetOriginalURI(),
and there was no reply to that. I emptied my cookies and went to
www.theregister.co.uk, Mozilla accepted a cookie from .doubleclick.net AND
www.vibrantmedia.com. Makes me wonder if ANYONE even sets non-iframe 3rd party
cookies.

Is this just not possible without major arch changes, or is there pressure from
commercial entities?
Keywords: helpwanted, mozilla0.9.6
This bug is actually related to bug 87388, which in turn is blocked by bug 
87731.
Status: NEW → ASSIGNED
Depends on: 87731
fixing summary, this always escapes my queries
blocks generic "third party cookie blocking doesn't work"
Blocks: 87388
Summary: IFrames allow the setting of 3rd party cookies → iframes allow the setting of third party cookies
No longer blocks: 87388
Reconsidering this.  It shouldn't be futured.  Retargetting for 0.9.9
Target Milestone: Future → mozilla0.9.9
Keywords: nsbeta1
Note going to make it in 0.9.9.  Pushing out to 1.0
Target Milestone: mozilla0.9.9 → mozilla1.0
This is a subset of bug 87388.  The patch in that bug report fixes this as well.  
And the test suite created for that bug report includes iframes.

*** This bug has been marked as a duplicate of 87388 ***
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
verified dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.