Page 1 of 1
[Potential Issue]: Cookies being stored in private browsing mode
Posted: 2020-06-07, 13:23
by adesh
I've seen this earlier also a few times but at those times I was not entirely sure. This time the incident is fresh and I have details.
Today, just for fun, I decided to clear some cookies (which I seldom do). To my surprise, I found two sites in the cookie manager which I had visited in the private browsing mode. One of the sites/domain was visited just yesterday when I wanted to debug something; the other was visited about a month ago.
If we assume that I might have opened them in normal mode, they are not listed anywhere in the browser history. I also don't clear my browsing history so they ought to be found there.
I can say I've seen the issue more than once in the past also but I was doubtful. Two add-ons - eMatrix and Decentraleyes - may have some part in this as I've been using them for the most part of my browsing with Pale Moon.
The current incident is related to Pale Moon built from master (a week old) on my Mac machine. But I'm sure OS platform should not matter in such cases and issue has a historic nature to itself. Also, the affected browsing session lasted a few days with private windows being closed and opened as needed. Then today browser was closed and system was shut down to give it a relief. After a few hours, I started the system and decided to do the cleanup and that's when I found this.
I understand this should (cannot?) be a browser issue but I'm just surprised and don't know what to think of it.
Re: [Potential Issue]: Cookies being stored in private browsing mode
Posted: 2020-06-07, 14:48
by vannilla
If eMatrix is involved in this issue then it's a bug.
I might monitor this thread but just in case, if the extension is found to have a part (or even be the culprit!) in this issue, then please report it to me, either directly, in the extension thread here, or on gitlab.
By default it should handle cookies only when sending them back, while storage is left to the browser. eMatrix if anything deletes cookies when they are blocked after a certain interval.
Re: [Serious Bug]: Cookies being stored in private browsing mode
Posted: 2020-07-19, 14:12
by adesh
So I have found the cause of this and it's not the extensions. Problem is in the browser core (devtools), and both Pale Moon and Basilisk are affected.
This thread title should read as:
Leakage of cookies in private browsing mode via devtools source maps network requests
(It is possible that all requests made by devtools are affected.)
In my case and STR below, the issue occurs when you open Debugger tab in devtools. To fetch source maps, devtools make network requests for the assets loaded on the web page. When this happens, cookies stored in the private store are somehow sent to the normal (permanent) cookie store.
This probably means that devtools do not make requests in a private context.
Steps to reproduce:
- Load a site in private mode. I'm using lastpass.com as it is easily reproducible there.
- Check that cookies UI doesn't list anything for the above site. EXPECTED
- Open DevTools and select Debugger. Wait a couple of seconds and close the devtools.
- Now, cookies have persisted and cookies dialog should the same. Screenshot below. NOT EXPECTED
[You can stop here, proceed for curiosity.]
Cookies set further by the website will be tacked on and leak further if you keep browsing the site and open Debugger later.
- Click the "Log In" link to reach the log in page so some more cookies are set by the site in private store. Cookies dialog will still show the single cookie shown above.
- Now Open Debugger again. Now there will be few additional cookies in the cookie store as shown in the screenshot.
Additionally, following errors were encountered while processing the source maps:
Code: Select all
TabSources.prototype._fetchSourceMap threw an exception: [Exception... "Component returned failure code: 0x80470002 (NS_BASE_STREAM_CLOSED) [nsIInputStream.available]" nsresult: "0x80470002 (NS_BASE_STREAM_CLOSED)" location: "JS frame :: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js :: onResponse :: line 448" data: no]
Stack: onResponse@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js:448:23
onStopRequest@resource://gre/modules/NetUtil.jsm:128:17
Line: 448, column: 0
console.error:
TabSources.prototype._fetchSourceMap threw an exception: [Exception... "Component returned failure code: 0x80470002 (NS_BASE_STREAM_CLOSED) [nsIInputStream.available]" nsresult: "0x80470002 (NS_BASE_STREAM_CLOSED)" location: "JS frame :: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js :: onResponse :: line 448" data: no]
Stack: onResponse@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js:448:23
onStopRequest@resource://gre/modules/NetUtil.jsm:128:17
Line: 448, column: 0
TabSources.prototype._fetchSourceMap threw an exception: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Stack: SourceMapConsumer@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/sourcemap/source-map.js:1281:20
_fetchSourceMap/fetching<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/utils/TabSources.js:472:19
process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:932:23
walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:813:7
scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11
Line: 1281, column: 20
console.error:
TabSources.prototype._fetchSourceMap threw an exception: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Stack: SourceMapConsumer@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/sourcemap/source-map.js:1281:20
_fetchSourceMap/fetching<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/utils/TabSources.js:472:19
process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:932:23
walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:813:7
scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11
Line: 1281, column: 20
As expected third-party cookie settings don't mean anything in this context. So if you follow the above steps which a page which have YouTube embeds and inspect its sources in debugger, YouTube cookies will also be set regardless of your third-party cookie settings. Example page:
https://www.html5rocks.com/en/tutorials ... ourcemaps/ (no console errors in this case though)
Re: [Potential Issue]: Cookies being stored in private browsing mode
Posted: 2020-07-19, 17:07
by Moonchild
I don't think there's much we can do about devtools violating the precariously set-up private browsing mode because it is a developer tool and as such doesn't really take private browsing into account.