We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cookies from second site have cross-site permission on first site, how is that possible?

  • 8 replies
  • 1 has this problem
  • 11 views
  • Last reply by mozilla308

more options

I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here?

The system is Windows 11 with current FF 96.x.

I am on site 1 (site1.net) in a video call. In the permissions pop-up of the FF browser it shows me that cross-site cookies are allowed for site 2 (yetanothersite.com). See the screenshot attached. Both sites are totally unrelated and have no link whatsoever. I visited site 2 once many months or a year ago. To my understanding it is very odd, that there is a permission for cross-site cookies from site 2 on site 1. This permission is not set on any other site. How could this permission have been set up, was it me, is this a bug? How come there is a permission for site 2 on site 1 while they have no interrelation? I have searched through the cookies.sqlite DB and found nothing irregular. The privacy / tracking settings are set to the "standard" choice. What am I missing here? The system is Windows 11 with current FF 96.x.
Attached screenshots

Modified by mozilla308

All Replies (8)

more options

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

more options

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check.

If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission?

If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean:

origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov

??

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

Modified by mozilla308

more options

TNorth said

I gather the following preference (default value is true) is responsible: network.cookie.sameSite.laxByDefault

This may be one or the responsible preference, but does not explain how site2 can gather a permission on site1, while they are totally unrelated and unlinked.

jscher2000 said

I don't think I've seen that, but I rarely look at the panel and I'm not sure what kind of sites to check. If you open the exceptions list -- "Ausnahmen verwalten…" button on the Preferences page -- is the other site listed there with an Allow permission? If you check the 'moz_perms' table in permissions.sqlite, you can look for unexpected permissions. I noticed some referring to 3rdPartyStorage followed by a third party site. For example, what does this mean: origin = https://youtube.com type = 3rdPartyStorage^https://www.cdc.gov ??

After canceling the permission I can not check with "Ausnahmen verwalten", and looking through the permissions.sqlite – damn! – I didn't think about that yesterday. Should have checked that.

This thing is not explicable to me. I have never seen it before and it does not appear on any other site or in any other firefox profile. It's just been exactly this combination.

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

BTW, in my firefox profiles looking through permissions.sqlite I do not have the same couple "youtube" and "cdc.gov". May be related to anti-COVID misinformation features on youtube?!

more options

mozilla308 said

The question remains unanswered how site2 can have a permission on site1 while they are absolutely unrelated or intertwined.

I would be guessing, but I think Firefox would only mention that if there was site2 content loading into site1. Why is site2 content loading into site1? If it's not part of the design of site1, it might be injected by an add-on or by a proxy server.

more options

My understanding is that there is not any content loaded and no cookies set etc. It's just the permission which is set. Still that is super weird and I can't follow the technical flow here – how's that even feasible, it should not be possible by design.

A proxy server is not used other than of course site1's nginx proxy/web server that serves the applications. It is our server and our application hosted on our premises, so I can for sure say that site1 has no architectural ties with site2.

The suggestion that an add-on could be responsible is interesting. Do you have an example how that would be done or a real life example from the past where that has happened?

Modified by mozilla308

more options

Some types of alien content injection by add-ons include:

  • definition/translation widgets (reduced in recent years due to the bar on remote code injection)
  • shopping comparison data
  • stealth ads on search results pages (malware)
more options

I see.

site1 is a kind of a cloud app platform for internal use where the outside world has no access. site2 is a "standard" website of a company with some information about their products, you know, the usual thing.

I'll check through the add-ons but am not overly confident.