Why does Firefox share data between google domains even with all privacy options on?
I have noticed that when I manually log in into accounts.google.com with no prior cookies in the browser and no association with a google account prior to that, it automatically logs me into sites like youtube.com, even with the strictest cookie policies (tried with Strict, custom+cross-site and custom+third-party). I do not particularly mind privacy wise since I'll log into them with the same account anyways, but as far as I understood, there should be absolutely no way this should happen. Cookies should be isolated by domain, I have uBlock Origin installed which prevents cookie sharing between domains by setting some CNAME records in subdomains (Uncloak canonical names), and afaik Firefox does not automatically read the google account cookies and share them around - if it did, that would be even more serious. So what is happening here and how can I change that? This seems to be a serious issue that I'm honestly not comfortable with out of principle since I chose the strictest settings.
All Replies (2)
I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839
Modified by TyDraniu
Hi, I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839
Yeah I just tracked it down to the redirects too, since just logging in to accounts.google.com creates cookies for youtube.com without ever visiting that site explicitly. Now that's obviously a problem, but most direct solutions I can think of to prevent this (e.g. only give access to cookies to a website when it has been explicitly navigated to) would likely break all google logins, since they use accounts.google.com when logging into youtube afaik.
One solution would be to further subdivide the "cookie jars" into youtube.com|accounts.google.com when logging in to youtube, and mail.google.com|accounts.google.com when logging into gmail (and all other domains that are redirected to when logging in to these services), which would still allow login to function, but have them be completely isolated by initial domain. And make it transparent which service is considered the current, navigated one. This of course does not prevent google servers to store login by IP and associate them by this, but they can't do that reliably anyways as that would be a huge security issue. Unfortunately, existing options that SOUND like they do this, don't change a thing, e.g. privacy.firstparty.isolate and TCP.