Firefox

Status

Under Review/Discussion

Related pages

Some pages require authorization.

  • [meta] Vulnerabilities Related to Web Browser Permissions

https://bugzilla.mozilla.org/show_bug.cgi?id=1784741

  • [meta] Android Vulnerabilities Related to Web Browser Permissions

https://bugzilla.mozilla.org/show_bug.cgi?id=1786933

  • [meta] iOS Vulnerabilities Related to Web Browser Permissions

https://bugzilla.mozilla.org/show_bug.cgi?id=1786935

  • [Bug 1788629] Notification permissions are retained across private browsing sessions

https://bugzilla.mozilla.org/show_bug.cgi?id=1788629

  • [Bug 1788633] Permissions are not cleared when using the browser’s data clearing mechanism

https://bugzilla.mozilla.org/show_bug.cgi?id=1788633

  • [Bug 1788638] Notification permission status is permanently remembered in Normal Browsing Mode

https://bugzilla.mozilla.org/show_bug.cgi?id=1788638

  • [Bug 1788639] Selection by the user to deny notification permissions is not properly reflected in Private Browsing Mode

https://bugzilla.mozilla.org/show_bug.cgi?id=1788639

  • [Bug 1530394] Turn each private browsing window into a separate session

https://bugzilla.mozilla.org/show_bug.cgi?id=1530394

  • [Bug 1787034] The notification permission granted in normal browsing mode also applies to private browsing

https://bugzilla.mozilla.org/show_bug.cgi?id=1787034

  • [Bug 1786934] Security bug In Firefox on iOS, the permission request prompt from the site in the background tab is overlaid on top of the site in the foreground tab.

https://bugzilla.mozilla.org/show_bug.cgi?id=1786934

Timelines

We submitted the report on August 14, 2022. Firefox has divided our report into different files for each implementation and platform. Therefore, we show a timeline for each file. We have summarized some messages in terms of copyright. Please check the full message from Bugzilla.

[meta] iOS Vulnerabilities Related to Web Browser Permissions

2022/08/25

Firefox sent us a question about the report.

When you say that the iOS browser permanently retains the geolocation permission selection, do you mean the iOS app settings?

2022/08/25

We submitted an answer to the question.

We do not refer to the “App permission in iOS settings.” We refer to the location permission requested/set for each website in the Firefox browser.

[Bug 1788629] Notification permissions are retained across private browsing sessions

2022/09/01

The Mozilla team said the fact that the issue can be reproduced under conditions other than those we had specified.

2022/09/03

We sent a reply message.

We operated Firefox in the following sequence during our investigation.
This procedure includes the step (step 6 ) of quitting the Firefox browser, including the standard browsing mode windows, in the middle of the operation.

Steps in our analysis

  1. launch the Firefox browser
  2. open a website requesting notification permission in Private Browsing mode (e.g., https://permission.site)
  3. the website requests notification permission
  4. we grant the requested notification permission
  5. close Private Browsing mode window
  6. Quit Firefox browser (also quits normal browsing mode)
  7. launch the Firefox browser
  8. open the website requesting notification permission in Private Browsing mode (the same site as in 2) 9.
  9. the website requests notification permission
  10. we analyze the permission status at this time

With this procedure, we concluded that the permission state is persistent only in Private Browsing mode of Firefox on Mac.

However, when step 6 of the above procedure is omitted, i.e., the close/open operation of the Private Browsing window is performed without quitting the Firefox browser, we found that the notification permissions are persistent in Private Browsing mode on Windows and Linux (Ubuntu) as well.

We think this implementation should be fixed for the privacy .

2022/09/10

We received a response to our reply.

In Firefox, when a user closes a private window and then opens a new private window, they are still in the same private browsing “session”. This is not what the user expects. See bug 1530394

2022/09/14

We sent a reply message.

I agree that the implementation of Bug 1530394 is inappropriate. On the Mac, the Firefox application process is not terminated when the user exits the application via the “Close Window” button. This means that the normal browsing session is maintained even after the user clicks the “Close Window” button. Therefore, compared to other operating systems, the normal browsing session is more likely to be maintained on the Mac, making Bug 1530394 a greater threat.

[Bug 1788633] Permissions are not cleared when using the browser’s data clearing mechanism

2022/09/01

Firefox sent us a question about the report.

Could you please specify which browser clearing mechanism you mean? “Clear cookies and site data” does not clears permissions.

2022/09/03

We answered the question.

Thank you for reviewing our report.

In our analysis, we used the “Clear cookies and site data” feature for the following reason.

First, in the following document, “Cookies and Site Data” is explained as “to remove login status and site preferences”.
https://support.mozilla.org/en-US/kb/storage#w_clear-all-information

Second, in the following document, “Site preferences” is defined as “Site-specific preferences, including the saved zoom level for sites, character encoding, and the permissions for sites (like pop-up blocker exceptions) described in the Page Info window.”
https://support.mozilla.org/en-US/kb/delete-browsing-search-download-history-firefox

So, we concluded that “Clear cookies and site data” feature should clear “Site Preferences,” which contain the permissions for the site.

2022/09/07

We received a response to our reply.

The description on the official website is incorrect.

2022/09/10

We received further explanations.

The description on the site seems ambiguous.

This feature is intended, but if your team was confused about what these options do, and perhaps many others are too, it might improve the clarity of the UI.

2022/09/14

We commented on the description.

We agree that the documentation inconsistencies should be fixed.
Also, even if the documentation inconsistencies are fixed, many people could be confused with the functionality.
So, it would be desirable to enhance the UI of this feature in the medium to long term.
For example, it would be possible to mitigate user confusion by simply clarifying to the user the data that are not covered by the “Clear cookies and site data” mechanism and suggesting the use of the “Clear recent history” function if the user wishes to erase those data.

[Bug 1788638] Notification permission status is permanently remembered in Normal Browsing Mode

Discussions are still ongoing.

[Bug 1788639] Selection by the user to deny notification permissions is not properly reflected in Private Browsing Mode

2022/09/01

Firefox sent us a question about the report.

All permissions in Private Browsing mode are temporary, which is the intended behavior.
Temporary permissions are not exposed through the Permissions API.

Do “default” and “denied” refer to the Permissions API?

2022/09/03

We answered the question.

Thank you for reviewing our report.

We used the Notification API to get the permission state “default” not the Permissions API.

You can reproduce this by following these steps.

  1. launch the Firefox browser
  2. Open a website (https://permission.site) in Private Browsing mode)
  3. Click notification button on the website to receive the notification permission request.
  4. The website requests Notification permission
  5. Click “Block” button on the permission request prompts
  6. Open “Browser Console” from “Inspect”
  7. Input “Notification.permission” and Enter.
  8. Check returned value (You can see value “default” not denied)

2022/11/02

Discussions are still ongoing.

[Bug 1530394] Turn each private browsing window into a separate session

Since this issue is public already, the full message is available at the link below.

https://bugzilla.mozilla.org/show_bug.cgi?id=1530394

[Bug 1787034] The notification permission granted in normal browsing mode also applies to private browsing

2022/11/14

The implementation of notification permissions granted in normal browsing mode that also apply to private browsing has been fixed and is now available in Firefox Nightly 109.0a1.

2023/01/17

The implementation of notification permissions granted in normal browsing mode that also apply to private browsing has been fixed and is now available in Firefox 109.

This vulnerability has been assigned to CVE-2023-23600.

Advisories can be found at
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/

[Bug 1786934] Security bug In Firefox on iOS, the permission request prompt from the site in the background tab is overlaid on top of the site in the foreground tab.

2023/07/04

Resolved.

This vulnerability has been assigned to CVE-2023-37455.

Advisories can be found at

https://www.mozilla.org/en-US/security/advisories/mfsa2023-25/