Mozilla VPN is currently experiencing an outage. Our team is actively working to resolve the issue. Please check the status page for real-time updates. Thank you for your patience.

当サイトはユーザー体験を改善するためのメンテナンスを実施中に機能が制限される予定です。記事を読んでもあなたの問題が解決せず質問をしたい場合は、Twitter の @FirefoxSupport、Reddit の /r/firefox で、サポートコミュニティが皆さんを助けようと待機しています。

Mozilla サポートの検索

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

詳しく学ぶ

このスレッドはアーカイブに保管されました。 必要であれば新たに質問してください。

Why does Firefox share data between google domains even with all privacy options on?

  • 2 件の返信
  • 2 人がこの問題に困っています
  • 1 回表示
  • 最後の返信者: gggh

more options

I have noticed that when I manually log in into accounts.google.com with no prior cookies in the browser and no association with a google account prior to that, it automatically logs me into sites like youtube.com, even with the strictest cookie policies (tried with Strict, custom+cross-site and custom+third-party). I do not particularly mind privacy wise since I'll log into them with the same account anyways, but as far as I understood, there should be absolutely no way this should happen. Cookies should be isolated by domain, I have uBlock Origin installed which prevents cookie sharing between domains by setting some CNAME records in subdomains (Uncloak canonical names), and afaik Firefox does not automatically read the google account cookies and share them around - if it did, that would be even more serious. So what is happening here and how can I change that? This seems to be a serious issue that I'm honestly not comfortable with out of principle since I chose the strictest settings.

I have noticed that when I manually log in into accounts.google.com with no prior cookies in the browser and no association with a google account prior to that, it automatically logs me into sites like youtube.com, even with the strictest cookie policies (tried with Strict, custom+cross-site and custom+third-party). I do not particularly mind privacy wise since I'll log into them with the same account anyways, but as far as I understood, there should be absolutely no way this should happen. Cookies should be isolated by domain, I have uBlock Origin installed which prevents cookie sharing between domains by setting some CNAME records in subdomains (Uncloak canonical names), and afaik Firefox does not automatically read the google account cookies and share them around - if it did, that would be even more serious. So what is happening here and how can I change that? This seems to be a serious issue that I'm honestly not comfortable with out of principle since I chose the strictest settings.

すべての返信 (2)

more options

Hi,

I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839

この投稿は TyDraniu により に変更されました

more options

TyDraniu said

Hi, I agree. Mozilla shouldn't accept the fact that youtube login state relies on accounts.google.com. This should be an unreachable third-party cookie for us. This is an old and forgotten issue -> https://bugzilla.mozilla.org/show_bug.cgi?id=1319839

Yeah I just tracked it down to the redirects too, since just logging in to accounts.google.com creates cookies for youtube.com without ever visiting that site explicitly. Now that's obviously a problem, but most direct solutions I can think of to prevent this (e.g. only give access to cookies to a website when it has been explicitly navigated to) would likely break all google logins, since they use accounts.google.com when logging into youtube afaik.

One solution would be to further subdivide the "cookie jars" into youtube.com|accounts.google.com when logging in to youtube, and mail.google.com|accounts.google.com when logging into gmail (and all other domains that are redirected to when logging in to these services), which would still allow login to function, but have them be completely isolated by initial domain. And make it transparent which service is considered the current, navigated one. This of course does not prevent google servers to store login by IP and associate them by this, but they can't do that reliably anyways as that would be a huge security issue. Unfortunately, existing options that SOUND like they do this, don't change a thing, e.g. privacy.firstparty.isolate and TCP.