Closed Bug 725251 Opened 13 years ago Closed 13 years ago

Shared access to session information/cookies violates user privacy preferences

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
10 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 117222

People

(Reporter: voracious.consumer, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7 Steps to reproduce: - Open Firefox - Go into "Tools-Options-Privacy-Keep until" and select "I close Firefox". - Close the browser - Open a new instance of Firefox. - In the first tab sign into gmail.com (mail.google.com) - In the second tab open google.com for search - Note that the session/account information from the first tab is shared with the second. - Now open a second instance of the Firefox while the first one is running and open google.com in its first tab. Session/account information from the first instance is available in the second instance. Actual results: The sharing of session information with other tabs or instances of the browser violates the user's privacy preferences due to the following reasons: 1) Session information from a tab in one instance of the browser is available to a tab in another instance. 2) Session information is shared with unrelated sessions in adjacent tabs. This is primarly because a session is liberally interpreted as the period between the opening and the closing of the browser. This interpretation is flawed since a session is primarily an interaction with a web service. Expected results: In order to address privacy concerns a session should be treated as an interaction with specific service eg mail, search, etc. Information provided to one service must be available to other services only if the user has opted-in or has made an explicit request for such sharing.
User expectations: 1) Allow the user to opt-in to the liberal notion of a session 2) Respect user's preference for isolation of cookies 3) Improve RFC 6265 in order to regulate unbridled access to private information See similar Chrome bug http://code.google.com/p/chromium/issues/detail?id=112997
Cookies are always available to all browser windows and tabs. Changing that would break the web and this will not be done. Note: Firefox is using one single instance. Your didn't fulfill the selected preferences since you didn't close the browser. You can run a second Firefox instance but that requires a environment variable and a second profile. I tended to close this report as wontfix
> Cookies are always available to all browser windows and tabs. The fact is that cookies NEED NOT be available to other tabs or instances. By default they need to be available to the session (tab) in which they where set. Other sessions may have access to them if the user allowed it. This is sufficient for stateful web services. A session is interpreted as an user's interaction with a web service. >Your didn't fulfill the selected preferences since you didn't close the browser Correct. But the demand I am making is to 1) Reduce the scope of a "session" from opening and closing of a browser to opening and closing of a tab. In other words provide the user with an option to keep cookies until a session(tab) is closed. 2) Provide the user with an option to prevent sharing of cookies with other sessions (tabs and instances) The objective is to ensure the privacy of each interaction.
>A session is interpreted as an user's interaction with a web service. In which RFC can I read that ? I can not find this in rfc6265 A session is currently a browser session and that starts with the browser start and ends with the browser closing.limiting the scope of session cookies (and only session cookies!) to a new tab/window is bug 117222 Note: This is only true for session cookies and not for any other persistent cookies Do you agree that this is a dupe of bug bug 117222 ?
> In which RFC can I read that? I can not find this in rfc6265 RFC 2526 leaves the definition to the user agent and the current interpretation of "session" by Firefox is insufficient in terms of privacy. Hence my proposal to treat a session an user's interaction with a web service eg mail, search > Do you agree that this is a dupe of bug bug 117222 ? From a technical standpoint, yes. But the bug report does not emphasize the privacy issues even though some comments do. Lastly the fact that the bug has been pending for more than 10 years and that only an add-on offers a workaround is discouraging.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.