Cookies from second site have cross-site permission on first site, how is that possible?
I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here?
The system is Windows 11 with current FF 96.x.
Moambuepyre
Opaite Mbohovái (8)
I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault
I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check.
If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission?
If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean:
origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov
??
TNorth said
I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault
This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.
jscher2000 said
I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??
After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.
This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.
The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.
BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!
Moambuepyre
TNorth said
I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault
This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.
jscher2000 said
I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??
After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.
This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.
The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.
BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!
mozilla308 said
The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.
I would be guessing, but I think Firefox would only mention that if there was site2 content loading into site1. Why is site2 content loading into site1? If it's not part of the design of site1, it might be injected by an add-on or by a proxy server.
My understanding is that there is not any content loaded and no cookies set etc. It's just the permission which is set. Still that is super weird and I can't follow the technical flow here – how's that even feasible, it should not be possible by design.
A proxy server is not used other than of course site1's nginx proxy/web server that serves the applications. It is our server and our application hosted on our premises, so I can for sure say that site1 has no architectural ties with site2.
The suggestion that an add-on could be responsible is interesting. Do you have an example how that would be done or a real life example from the past where that has happened?
Moambuepyre
Some types of alien content injection by add-ons include:
- definition/translation widgets (reduced in recent years due to the bar on remote code injection)
- shopping comparison data
- stealth ads on search results pages (malware)
I see.
site1 is a kind of a cloud app platform for internal use where the outside world has no access. site2 is a "standard" website of a company with some information about their products, you know, the usual thing.
I'll check through the add-ons but am not overly confident.