Avatar for Username

Prohledat stránky podpory

Vyhněte se podvodům. Za účelem poskytnutí podpory vás nikdy nežádáme, abyste zavolali nebo poslali SMS na nějaké telefonní číslo nebo abyste sdělili své osobní údaje. Jakékoliv podezřelé chování nám prosím nahlaste pomocí odkazu „Nahlásit zneužití“.

Learn More

Toto vlákno bylo archivováno. Pokud potřebujete pomoci, založte prosím nový dotaz.

Why does Firefox share data between google domains even with all privacy options on?

  • 2 odpovědi
  • 2 mají tento problém
  • 8 zobrazení
  • Poslední odpověď od gggh

gggh
gggh
more options

I have noticed that when I manually log in into accounts.google.com with no prior cookies in the browser and no association with a google account prior to that, it automatically logs me into sites like youtube.com, even with the strictest cookie policies (tried with Strict, custom+cross-site and custom+third-party). I do not particularly mind privacy wise since I'll log into them with the same account anyways, but as far as I understood, there should be absolutely no way this should happen. Cookies should be isolated by domain, I have uBlock Origin installed which prevents cookie sharing between domains by setting some CNAME records in subdomains (Uncloak canonical names), and afaik Firefox does not automatically read the google account cookies and share them around - if it did, that would be even more serious. So what is happening here and how can I change that? This seems to be a serious issue that I'm honestly not comfortable with out of principle since I chose the strictest settings.

I have noticed that when I manually log in into accounts.google.com with no prior cookies in the browser and no association with a google account prior to that, it automatically logs me into sites like youtube.com, even with the strictest cookie policies (tried with Strict, custom+cross-site and custom+third-party). I do not particularly mind privacy wise since I'll log into them with the same account anyways, but as far as I understood, there should be absolutely no way this should happen. Cookies should be isolated by domain, I have uBlock Origin installed which prevents cookie sharing between domains by setting some CNAME records in subdomains (Uncloak canonical names), and afaik Firefox does not automatically read the google account cookies and share them around - if it did, that would be even more serious. So what is happening here and how can I change that? This seems to be a serious issue that I'm honestly not comfortable with out of principle since I chose the strictest settings.

Všechny odpovědi (2)

TyDraniu
TyDraniu
  • Top 10 Contributor
more options

Hi,

I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839

Upravil uživatel TyDraniu dne

gggh
gggh Autor dotazu
more options

TyDraniu said
Hi, I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839

Yeah I just tracked it down to the redirects too, since just logging in to accounts.google.com creates cookies for youtube.com without ever visiting that site explicitly. Now that's obviously a problem, but most direct solutions I can think of to prevent this (e.g. only give access to cookies to a website when it has been explicitly navigated to) would likely break all google logins, since they use accounts.google.com when logging into youtube afaik.

One solution would be to further subdivide the "cookie jars" into youtube.com|accounts.google.com when logging in to youtube, and mail.google.com|accounts.google.com when logging into gmail (and all other domains that are redirected to when logging in to these services), which would still allow login to function, but have them be completely isolated by initial domain. And make it transparent which service is considered the current, navigated one. This of course does not prevent google servers to store login by IP and associate them by this, but they can't do that reliably anyways as that would be a huge security issue. Unfortunately, existing options that SOUND like they do this, don't change a thing, e.g. privacy.firstparty.isolate and TCP.