Issue metadata
Sign in to add a comment
|
Security: Multiple incognito browser windows share cookies
Reported by
whata...@gmail.com,
Feb 13 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Multiple incognito windows share the same set of cookies VERSION Chrome Version: Version 56.0.2924.87 (64-bit) Operating System: Windows 10 REPRODUCTION CASE Open an incognito window and navigate to a site GET https://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8 No cookies. HTTP/1.1 200 OK Date: Mon, 13 Feb 2017 18:03:42 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=86400 P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info." Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: NID=96=AorIho9ziqI-[truncated]_Jh; expires=Tue, 15-Aug-2017 18:03:42 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: quic=":443"; ma=2592000; v="35,34" Content-Length: 229588 [truncated] I get a new NID cookie. Then I open a second incognito window (not tab) and go again to same site: GET https://www.google.com/ HTTP/1.1 Host: www.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8 Cookie: NID=96=AorIho9ziqI-[truncated]_Jh Hey, why there is a cookie here? If I'm visiting two distinct web sites which happen to use same 3rd party tracking system then the tracking cookie from my "incognito" windows will allow it to combine my profile in both sites.
,
Feb 13 2017
Agree with #1, this is working-as-intended. Mark it as WontFix.
,
Feb 13 2017
I agree it works as intended but Im disputing the intent. Because it is the intent does not mean it is the correct thing to do. Someone using the incognito is lead to believe they will be incognito due to the clean up but the cookie pool shared is exposng the user. If you want to discard this then Ill need more than that. How can you justify the cookie leaked between incognito windows? Note im not talking about tabs. Id expect the tabs to work together but I would not expect diferent windows to work together. The menu option says "new" and not "another". You at least need to document the behaviour because you are misleading users. Rrgds.
,
Feb 14 2017
> Id expect the tabs to work together but I would not expect diferent windows to work together. "Working together" is simply how things work everywhere in Chrome. When you choose "New Window" from Chrome's menu, the new Window is in the original Session (you can see this using the demo in comment #1). Similarly, if you choose "New incognito window" from the menu, the new Window is within a single Incognito Session. Chrome doesn't treat tabs and windows differently (which is why you can drag tabs in and out of windows freely). Notably, Chrome doesn't have a "New Session" command like IE does ( https://blogs.msdn.microsoft.com/ie/2009/05/06/session-cookies-sessionstorage-and-ie8-or-how-can-i-log-into-two-webmail-accounts-at-the-same-time/ ). If you want to have isolated Sessions like this, you should instead use the Profile button at the top right of the window (near the minimize button) to spawn a new Session within a different Profile.
,
Feb 16 2017
Ok, yes, the Profiles is doing what I thought Incognito would do. I still don't understand why the new incognito does not simply launch a new session. It is misleading to call it incognito when I'm not really browsing incognito.
,
Feb 16 2017
When you open an Incognito browser instance, it explains what it does and does not provide: "Pages you view in incognito tabs won’t stick around in your browser’s history, cookie store, or search history after you’ve closed all of your incognito tabs. Any files you download or bookmarks you create will be kept. However, you aren’t invisible. Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit."
,
Apr 12 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 13 2017