搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

Cookies from second site have cross-site permission on first site, how is that possible?

  • 8 回覆
  • 1 有這個問題
  • 7 次檢視
  • 最近回覆由 mozilla308

more options

I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here?

The system is Windows 11 with current FF 96.x.

附加的畫面擷圖

由 mozilla308 於 修改

所有回覆 (8)

more options

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

有幫助嗎?

more options

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check.

If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission?

If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean:

origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov

??

有幫助嗎?

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

由 mozilla308 於 修改

有幫助嗎?

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

有幫助嗎?

more options

mozilla308 said

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

I would be guessing, but I think Firefox would only mention that if there was site2 content loading into site1. Why is site2 content loading into site1? If it's not part of the design of site1, it might be injected by an add-on or by a proxy server.

有幫助嗎?

more options

My understanding is that there is not any content loaded and no cookies set etc. It's just the permission which is set. Still that is super weird and I can't follow the technical flow here – how's that even feasible, it should not be possible by design.

A proxy server is not used other than of course site1's nginx proxy/web server that serves the applications. It is our server and our application hosted on our premises, so I can for sure say that site1 has no architectural ties with site2.

The suggestion that an add-on could be responsible is interesting. Do you have an example how that would be done or a real life example from the past where that has happened?

由 mozilla308 於 修改

有幫助嗎?

more options

Some types of alien content injection by add-ons include:

  • definition/translation widgets (reduced in recent years due to the bar on remote code injection)
  • shopping comparison data
  • stealth ads on search results pages (malware)

有幫助嗎?

more options

I see.

site1 is a kind of a cloud app platform for internal use where the outside world has no access. site2 is a "standard" website of a company with some information about their products, you know, the usual thing.

I'll check through the add-ons but am not overly confident.

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題