Closed Bug 840739 Opened 12 years ago Closed 12 years ago

Flash links in private windows are converting normal windows into private windows.

Categories

(Firefox :: Private Browsing, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Firefox 22
Tracking Status
firefox19 --- wontfix
firefox20 + verified
firefox21 + verified
firefox22 --- verified

People

(Reporter: mobius_88, Assigned: jdm)

References

Details

(Keywords: dataloss)

Attachments

(1 file)

I'm not sure where else to go to reproduce this except, unfortunately, the adult social site I can discovered it on. As long as you don't have any qualms with going on an adult dating site and probably seeing some adult images in the process...steps to reproduce. 1) go to adultfriendfinder.com 2) create a new, free, account (assuming you don't have one) 3) in the upper right of the window click on the IM button. This will open a new chromeless window with a Flash based chat client filling most of it. 4) Put whatever window you want the a new tab to open in *directly behind* the chat window. In this case use a non-private window. 5) click the "AdultFriendFinder.com" link in the upper right of the chat window. Expected Results: New tab opens in a private window (or opens a new one). Actual Results: New tab opens in whatever window is behind the original, including non-private windows. Of interest is that the new tab does not seem to show up in history. So it is presumably still a private tab - something I didn't know was even possible.
Woah. So I just realized what else was going on here. I have one window that has several pinned tabs on it with multiple gmail/calendar/gvoice tabs in it. They were all getting logged out and I couldn't tell why. It turns out that when the new tab is inserted into the non-private window, it turns it into a private window and all the other tabs with it. The UI doesn't change (aka the purple button) but all the emails get logged out and if you pull any of the tabs off into individual windows you'll find that the new window will be private (purple button). This is a fun trick and all, but on top of **** someone off, could lead to dataloss, such as on pages with forms, no? I tested this with one window while being logged into one yahoo mail account in private browsing and one in non-private. After the new tab had opened into the non-private window I reloaded the non-private yahoo tab and sure enough it had swapped and was now displaying the private yahoo account. In the other non-private windows the non-private account loaded fine. Is this already on someone's radar because it seems pretty serious.
Keywords: dataloss
Summary: Flash links in private windows are opening tabs in non-private windows → Flash links in private windows are converting normal windows into private windows.
What Firefox version and Flash version did you reproduce this issue with? Does it reproduce with Flash 11.6 and Firefox 20 or later?
Flags: needinfo?(mobius_88)
I produced this on 20 and just reproduced it again on 20.0a2. My Flash is up to date 11.6.602.168 (updated with the newest fixes today). Still reproduceable.
Flags: needinfo?(mobius_88)
I did a search and was able to find a non-adult site to test this on. To reproduce: Go to http://www.openpalace.org/ Click on the "Try it now!" A directory listing will be displayed, sort the list by category. Near the top of the "All ages" grouping in the list, open "Amigos del Mundo". In the upper right of the resulting room there is text that says "Playlist Sombra" click that. The resulting tab will open in whatever window is directly behind the current window.
Josh, any chance you could take a look at this, please?
Flags: needinfo?(josh)
Assignee: nobody → josh
Blocks: PBnGen
Got it. For once the backend is doing the right thing, and it's the frontend that is choosing the host window willy-nilly: http://hg.mozilla.org/mozilla-central/annotate/f2ec16a9feea/browser/base/content/browser.js#l4860
Flags: needinfo?(josh)
Thanks for the steps to reproduce the problem, mobius_88. This was a really excellent bug report :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #717304 - Flags: review?(gavin.sharp) → review+
(In reply to Josh Matthews [:jdm] from comment #8) > Thanks for the steps to reproduce the problem, mobius_88. This was a really > excellent bug report :) Thanks. Now if only my true self could get the credit. :) (I set up this secondary account because I was embarrassed of the adult association.)
Comment on attachment 717304 [details] [diff] [review] Make opening a new URI respect the privacy status of the opener. [Approval Request Comment] Bug caused by (feature/regressing bug #): 798508 User impact if declined: Links from plugins in private windows can open up in public ones, leading to information leakage. Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): None. This merely refines existing behaviour. String or UUID changes made by this patch: None.
Attachment #717304 - Flags: approval-mozilla-beta?
Attachment #717304 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 22
Comment on attachment 717304 [details] [diff] [review] Make opening a new URI respect the privacy status of the opener. Great that this was found and fixed so quickly. Thanks all - go ahead with uplift.
Attachment #717304 - Flags: approval-mozilla-beta?
Attachment #717304 - Flags: approval-mozilla-beta+
Attachment #717304 - Flags: approval-mozilla-aurora?
Attachment #717304 - Flags: approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 Verified as fixed in Firefox 20 beta 2 (buildID: 20130227063501) based on STR from comment 4. If the website is loaded under Private Window then after clicking "Playlist Sombra" it will open a new tab only in Private Window. If opened the website in normal window, the new tab will open only in normal window.
Flagging for verification in Firefox 21 and 22.
Keywords: verifyme
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Verified as fixed in Firefox 21 beta 3 (buildID: 20130416200523).
Can you please provide another website since http://www.openpalace.org/ is not working any more and regarding the website from comment 0;it does not want to accept any email provider I throw at it in order to make an account. Or can you verify this as fixed using Firefox 22 beta 2? http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/22.0b2-candidates/build1/win32/en-US/
Flags: needinfo?(mobius_88)
I can confirm that this problem (as laid out in comment 0) is not present in Firefox 22 beta 2.
Status: RESOLVED → VERIFIED
Flags: needinfo?(mobius_88)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: