搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Cookies from second site have cross-site permission on first site, how is that possible?

  • 8 个回答
  • 1 人有此问题
  • 11 次查看
  • 最后回复者为 mozilla308

more options

I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here?

The system is Windows 11 with current FF 96.x.

I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here? The system is Windows 11 with current FF 96.x.
已附加屏幕截图

由mozilla308于修改

所有回复 (8)

more options

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

more options

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check.

If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission?

If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean:

origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov

??

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

由mozilla308于修改

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

more options

mozilla308 said

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

I would be guessing, but I think Firefox would only mention that if there was site2 content loading into site1. Why is site2 content loading into site1? If it's not part of the design of site1, it might be injected by an add-on or by a proxy server.

more options

My understanding is that there is not any content loaded and no cookies set etc. It's just the permission which is set. Still that is super weird and I can't follow the technical flow here – how's that even feasible, it should not be possible by design.

A proxy server is not used other than of course site1's nginx proxy/web server that serves the applications. It is our server and our application hosted on our premises, so I can for sure say that site1 has no architectural ties with site2.

The suggestion that an add-on could be responsible is interesting. Do you have an example how that would be done or a real life example from the past where that has happened?

由mozilla308于修改

more options

Some types of alien content injection by add-ons include:

  • definition/translation widgets (reduced in recent years due to the bar on remote code injection)
  • shopping comparison data
  • stealth ads on search results pages (malware)
more options

I see.

site1 is a kind of a cloud app platform for internal use where the outside world has no access. site2 is a "standard" website of a company with some information about their products, you know, the usual thing.

I'll check through the add-ons but am not overly confident.