Disabling third party cookies causes View Page Source requests to not send any cookies

UNCONFIRMED
Unassigned

Status

()

Core
Networking: Cookies
P5
normal
UNCONFIRMED
5 years ago
3 months ago

People

(Reporter: Donald Sarratt, Unassigned)

Tracking

15 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-would-take])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Build ID: 20120824154833

Steps to reproduce:

Disabled "Accept third-party cookies" in Privacy Settings.
Loaded a webpage that requires cookies (e.g. an account settings page).
Right-clicked on the page, selected "View Page Source".

Reproducible: Always


Actual results:

When Firefox sends a new request to get the page source, it does so WITHOUT sending any cookies, causing the incorrect page to be loaded.


Expected results:

The page should have been requested WITH the existing cookies.
(Reporter)

Comment 1

5 years ago
Testing shows this only happens if "Vary: Cookie" is in the HTTP headers of the requested page. If the Vary header does not include Cookie (or *), or if the Vary header is absent, Firefox performs as expected.
Component: Untriaged → Networking: Cookies
Product: Firefox → Core

Comment 2

5 years ago
I've found that if a cookie exception is in place in preferences to 'Allow' cookies from a specific domain, then the cookie is sent even if 'Allow third-party cookies' remains unchecked in privacy settings.

Example:
Third party cookies disallowed; no cookie exception in place for x.example.com

1) Login to x.example.com 
2) View source does not send any cookies to x.example.com
3) Add a privacy exception allowing cookies from x.example.com
4) View source now sends cookies to x.example.com and shows the correct page source

Comment 3

3 years ago
It also happen on firefox developper edition 37.0a2 (2015-02-12) under linux (debian wheezy)

Comment 4

2 years ago
I can confirm this happening as of the latest 42 alpha.  The View Source functionality is essentially useless if you value your privacy.  Previously before this was broken the View Source functionality would just show the previously downloaded source instead of reloading the page.  There should never be a need to resubmit the page request especially when that could result in POST'ing a form twice.
Whiteboard: [necko-would-take]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.