Opened 2 years ago

Closed 2 years ago

#20754 closed defect (duplicate)

gmail.com and youtube.com aren't obeying first-party isolation

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: ctang@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Discovered by Cynthia Tang of the Mozilla QA team.

Here is the Firefox Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1319839

Child Tickets

Attachments (1)

gmail_redirects.png (191.8 KB) - added by arthuredelstein 2 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 2 years ago by arthuredelstein

(This issue is seen in both Firefox and Tor Browser.)

Changed 2 years ago by arthuredelstein

Attachment: gmail_redirects.png added

comment:2 Changed 2 years ago by arthuredelstein

When I log into gmail, I can see with the Network Monitor that several 302 redirects occur before we finally reach a 200 response at mail.google.com. One of these redirects is at account.youtube.com, and it includes a Set-Cookie header:


It's clear that 302 redirects are Google's way of ensuring that when you log into gmail, you are also logged into youtube.

This clearly looks like another case of #14085.

comment:3 Changed 2 years ago by gk

Resolution: duplicate
Status: newclosed

Yes. And actually #3600 is the canonical bug. Closing this as duplicate of #14085 for now.

Note: See TracTickets for help on using tickets.